Not so Secret? How a hack could have killed app's anonymity

It's now been fixed, but a social-engineering trick could have been used to make your Secret app posts a lot less secret.

Seth Rosenblatt Former Senior Writer / News
Senior writer Seth Rosenblatt covered Google and security for CNET News, with occasional forays into tech and pop culture. Formerly a CNET Reviews senior editor for software, he has written about nearly every category of software and app available.
Seth Rosenblatt
4 min read

Sample posts from Secret on the app's homepage. Screenshot by Seth Rosenblatt/CNET

Anonymity app Secret and an independent security consultant are coming clean about a hack that could have destroyed the entire point of the popular secret-sharing app.

Bryan Seely, who made headlines earlier this year with a Google Maps hack that let him listen in on FBI and Secret Service phone calls, figured out how to identify the person behind specific posts to Secret. The app has become popular because it lets you share secrets to your friends without revealing who you are. Seely built his hack around a small nugget of identifiable information that Secret makes public: your connection to the poster.

Secret identifies three levels of connection to a person: friend, friend of friend, and stranger. Seely was able to take advantage of that and created a way to determine the person behind a Secret post.

"We showed David [Byttow, Secret's co-founder and CEO] a photo [that he took] that we pulled from Secret. He asked us if we were submitting a bug report," said Seely, chief technology officer for Rhino Security, a small analysis and research startup that nevertheless counts big-name investor Mark Cuban's Cyber Dust firm as a client.

"He [Byttow] was worried that it was a shake-down," Seely said.

The vulnerability that allowed the hack has now been fixed, Secret says.

'A clever social-engineering trick'

But in fact Seely was following security industry principles of responsible disclosure and gave Secret a chance to fix the problem before disclosing the vulnerability to the public. Or, as Seely put it, he followed the ethical guidelines of "not making a $34 million startup go poof."

"It's a bit of a clever social-engineering trick," Byttow told CNET in an email conversation. "It's not easily automated (and never has been) to do widespread damage."

In social-engineering hacks, intruders take advantage of human nature and the ways people tend to behave, rather than burrowing into software code to unlock access points into computers.

Seely's hack involved creating dummy Secret accounts that were "friends" with each other, so they appeared to be legitimate Secret users, but had only one "real" contact listed in their friends list, the contact information of the targeted Secret user. Secret automatically matched that contact info to the person's Secret profile, and so the only direct "friend" contact who appeared in the dummy account's stream was the target contact.

Take off your glasses, Clark Kent: your Secret identity has just been revealed.

Although Byttow was initially skeptical of the hack, Seely said that he and his partner at Rhino, Ben Caudill, soon won Byttow over. "He knew which attack vector we were coming in with," Seely said. "I was ballsy enough to send him one of his [Secret posts]."

If Byttow was initially skeptical of Seely's claims, that's no longer the case. Byttow sounded only notes of enthusiasm for independent security researchers.

"I love that there are clever, intrepid people out there that care enough to try and defeat systems that make security claims. It keeps everyone honest," Byttow said.

Still, he wouldn't reveal a more precise timeline of the hack, or what Secret did to fix it. He did say that the exploit method Seely used was originally discovered in May, although he didn't elaborate on why it wasn't fixed until recently.

"He [Seely] was not able to get any sort of IDs," Byttow said. "He was able to infer that a new post was coming from a single user in a contact list."

Seely speculated that the fix involved the creation of a threshold that prevents new accounts from friending the same person too rapidly.

Bug bounties

Although Secret challenges the accepted norm for privacy and online sharing by removing identification from public view, the company hasn't been ignorant of security concerns. Founded in January by ex-Square Wallet technical lead Byttow and former Google product manager Chrys Bader-Wechseler, Secret has had a bug-bounty program for crowd-sourcing security bug-hunts for most of its short lifetime, with 34 hackers uncovering 42 security problems so far, Byttow said.

Bug-bounty programs, which can involve payouts of thousands of dollars, are common at large firms like Google and Facebook, but they're rare at the startup level. Few startups invest in bug bounties, often citing the cost or user bases too small to justify expensive security experts. Yet Byttow noted that Secret hired two hackers for its permanent security team that the company found through its bug-bounty program.

Seely's security warning appears to have had an impact on Secret's co-founder, beyond fixing the vulnerability.

"[A]s a result of this, Bryan and I trust each other, and he feels confident in our ability to protect members," Byttow said. "He also posts secrets daily, which is a great endorsement from the penetration testers."

It is, at least, until the penetration testers close their accounts. But for now, Secret's got at least one unaffiliated security expert on its side.