Researcher at SilverSky Labs unearthed a vulnerability in Yik Yak iOS messaging App leveraging on the anonymous feature of the App. Exploiting the vulnerability would allow a hacker to reveal the reveal identity of the Yik Yak user, read previous posts and send new messages.
Following a string of embarrassing privacy scandals sparked by Edward Snowden earlier this year, everybody seem to be going dark, with web anonymity and privacy taking center stage when deciding which Apps to install in our devices. Every new App or social media platform is now promising the perfect mix of web privacy and anonymity. What many users don’t know is that some the apps don’t live up to their expectation and the user’s identity could easily be de-anonymized in few clicks.
This anonymity illusion is what has been propelling Yik Yak iOS App users’ to share their thoughts freely before SilverSky Labs researchers unearthed a vulnerability in the messaging App which could enable a malicious hacker to unmask real identity of a Yik Yak user.
Yik Yak is an anonymous messaging iOS app popular with US college students since it launch in 2013. In theory, the App allows one to send anonymous messages to peers within a two mile radius, but in practice, an Intern at SilverSky Labs was able to circumvent the Anonymous clause, reveal the user’s identity and remotely control their accounts.
Exploiting the vulnerability would enable “An attacker to view all of the target’s previous posts, make new posts, and literally log in to the app using the target’s credentials,” says Sanford Moskowitz, the researcher at SilverSky Labs who discovered the vulnerability.
Notably, hacking Yik Yak does not necessarily need a computer geek. It only requires an average hacker sharing the same wireless network with the target, very possible in a college wireless network. “This attack can be easily conducted by anyone on the same network as the target; which is a very common situation for Yik Yak’s main demographic: college students,” writes Moskowitz in a blog.
The problem lies with how Yik Yak encrypts its messages and communicates over the network with other third part Apps. Apparently, Yik Yak communicated with third party service providers in an unencrypted format. This according to Moskowitz allowed a hacker sharing in the Wi-Fi network to get the user’s ID number.
A weak encryption coupled with a poor authentication procedure would enable anyone armed with a user’s ID number, to easily login into the user’s account, see their previous posts and send new messages. Furthermore, revealing the real identity of the user would require running the ID through a freely available software such as Wireshark, linking the Yik Yak account to other social media sites and ultimately giving away the user’s real identity.
Yik Yak immediately patched up the vulnerably and urged its App users to update their iOS App or risk an attack now that the vulnerability is public knowledge.
In the meantime, the vulnerability should serve as a warning to internet users that web anonymity does not necessarily mean being completely anonymous. “Be careful what you say or do on social media. You’re probably not as anonymous as you think,” concludes Moskowitz.