Researchers have discovered a severe safety bug within the nameless message platform Yik Yak that uncovered person knowledge. Whereas the platform claims to make sure anonymity, the bugs conflicting with this supposed goal remained unpatched for fairly a very long time.
Yik Yak Bug Leaking Customers’ Information
Reportedly, a severe data disclosure bug existed within the Yik Yak platform that probably risked customers’ anonymity.
Yik Yak is a messaging app that permits customers inside shut proximity to speak anonymously by way of threads and discussions. It’s a well-liked app with an estimated 2 million person base.
This performance signifies that the app ought to cover the customers’ particulars to the utmost extent potential. Nevertheless, the vulnerability in query disrupted this intention.
In response to the researcher David Teather, the app uncovered the GPS coordinates of customers, with as much as 15 ft accuracy. This bug appeared because the threads and feedback returned the person ID. In flip, the person ID and GPS coordinates, when linked, might simply de-anonymize a person. Explaining the affect of this data disclosure, the researcher said in his submit,
Since persons are extra possible to make use of their telephones thus YikYak at dwelling it’s potential to determine the realm the place a person lives inside 10-15 toes. This capability to de-anonymize is rather more of a threat in low density rural areas… Since person ids are persistent it’s potential to determine a person’s day by day routine of when and the place they submit YikYaks from, this can be utilized to search out out the day by day routine of a specific YikYak person.
Patch Deployed… Ultimately
In response to the Each day Swig, the vulnerability caught the eye of two completely different safety researchers. Whereas the newest bug report arrived from David Teather, earlier than him, one other researcher Mika Melikyan additionally disclosed the identical bug in a separate submit. Like Teather, Melikyan additionally reported the matter to the app builders. Nevertheless, the bug remained unpatched for fairly lengthy a time, probably exposing the customers’ data on-line.
Ultimately, the app builders seemingly determined to deal with the matter, and therefore, they began releasing the repair. In response to Teather, the builders first rolled out the Yik Yak model 1.4.3. Nevertheless, it didn’t utterly patch the bug. Finally, the builders made additional adjustments with a subsequent replace that “rounded all GPS coordinates despatched to the shopper”.
Describing extra in regards to the repair, Teather said in his tweet,
Because the data is not destroyed, it’s potential that some assault sooner or later might depart the precise coordinates uncovered. Regardless of this, I am glad that they lastly modified issues and the app is safer for the privateness of particular person customers.
— David Teather (@david_teather) Could 18, 2022
Tell us your ideas within the feedback.
