Hackers at Rhino Security Labs figured out a way to dupe Secret's system.
To join Secret's community, the app imports your contacts. It then labels which posts are from your friends.
To prevent you from tracking a particular person, Secret requires that seven of your contacts post to the network before it labels their posts.
But here's the hack: Fill your phone's contact list with fake people and only one real contact -- your target. If you control posts coming from these dummy Secret accounts, it's easy to spot when your real "friend" is posting.
"Poison the data on the outside, bring it in as trusted data, and voilà! You make the system work for you," said Bryan Seely, a Rhino researcher in Seattle.
Oops! The 'Secret' app didn't actually keep you anonymous http://t.co/EEdMmcpY6g via @Jose_Pagliery pic.twitter.com/CecBTD0p19
— CNN Tech (@cnntech) 22 agosto 2014
Nenhum comentário:
Postar um comentário