Ben Caudill and Bryan Seely's Secret hack turns the app's vague "Friend" label into a tattle-tale. (Image: Ben Caudill)
Ben Caudill and Bryan Seely’s Secret hack turns the app’s vague “Friend” label into a tattle-tale. (Image: Ben Caudill)

You haven’t shared anything really secret on Secret, right?

Good. Because a Seattle hacker has outed the popular anonymous social media app as one lousy confidante.

Ben Caudill and Bryan Seely of Seattle’s young Rhino Security Labs figured out a way to reveal any Secret user’s anonymously shared posts, or “secrets,” using only an email address or phone number.

The relatively simple hack, which Caudill shared with Secret and, after the vulnerability was fixed, with Wired senior editor and former hacker Kevin Poulsen, made for a much-shared cautionary tale about that security Internet companies keep insisting they can give us.

What will it take, do you think, for us to finally stop believing them?

“The thing we try to help people acknowledge is that anonymous doesn’t mean untraceable,” Secret CEO David Byttow told Poulsen in Wired, contradicting the spirit of every bit of marketing that went out with the app.

“We do not say that you will be completely safe at all times and be completely anonymous.”

In other words, “anonymous social media” has always meant “anonymous enough social media.”

Ben Caudill
Ben Caudill

*Sigh.*

Ethical hackers like Caudill are the heroes of these spin wars, but their power scares me, too. Where most of us clueless users can’t help but see a magical, wonderful Internet that could be anything eager app developers claim, they see an imperfect structure full of vulnerabilities just waiting to be exploited.

It’s just one little step from Luke to Darth Vader, you know?

“You underestimate the power of the Dark Side…”

Caudill gets where I’m coming from.

“I think of myself as the guy that walks into a bank and, kind of casually, sees where the guards are, where the security cameras are, where the vaults are close to the windows — which may all seem malicious, but it’s just the way I see the world anymore,” he said.

(Image: Ben Caudill)
(Image: Ben Caudill)

Caudill collected a reward, or “bounty,” for reporting his and Seely’s hack to Secret. But he didn’t do it for the money. (There was no money. Though companies like Yahoo and Square give cash bounties in the hundreds of dollars to users of the bug reporting and reward platform Hacker One, Secret sticks to gift baskets, he said.)

He did it because — in the true hacker spirit — he wanted to see if it could be done.

The publicity didn’t hurt his 18-month-old security company, either.

Caudill explained the hack in a company blog post, but to put it briefly, it begins with a feature Secret uses to protect the identity of its users: the app does not label posts in your feed as having come from a “friend” unless at least 10 of your own contacts — phone contacts or Facebook friends — are also Secret users.

“The basis of the exploit is this: if we can create a new secretly account (let’s call this account BadGuy), create a bunch of dummy friends (BadGuysFriends 1 through 10), and then add one single genuine person (the victim), we can see what secrets the victim has posted,” Caudill wrote.

Targeting one or two users this way is tedious, but thanks to Secret’s API, Caudill wrote a script to automate the creation of dummy accounts to create a particularly potent truth serum. Users’ past secrets were vulnerable, too.

2

And just like that, the app’s anonymity was only as secure as a hacker’s desire to get to it.

“Time and time again, we’ve had to explain to people that good, effective cyber-security is just as much a mindset as it is a technical challenge,” Caudill wrote.

“Better to have a pro find that vulnerability, rather than a bad guy, right?”

As for Secret, Caudill says he’s an occasional user and acknowledged what Secret CEO Byttow reveals in his Wired comments to be the ugly and frequently downplayed nature of security in the digital age: It’s always in beta.

Should we be uninstalling Secret and every other app that seduces our trust? Nah.

But it’s past time any of us keep clinging to this ideal of absolute digital security when none could possibly exist.

Better to err on the side of “serious skepticism,” as Caudill puts it, and view security not as a binary on/off switch, but as a property whose strength relies on what, exactly, you’re protecting.

Got a secret so hot it could burn you?

You might want to keep it to yourself.

Like what you're reading? Subscribe to GeekWire's free newsletters to catch every headline

Job Listings on GeekWork

Find more jobs on GeekWork. Employers, post a job here.