Secret tightens its posting rules as white hat hackers find more holes in the system

42. That’s the number of security holes 38 white hat hackers have discovered in the Secret app since February, according to Wired. One vulnerability in particular allowed a hacker to pull up a Wired reporter’s Secret posts and show them to him.

Having someone unmask you, linking your posts to your name, is every Secret user’s worst nightmare. Although there have certainly been reports in the past about the app’s potential vulnerability, it’s a different issue entirely to be put face-to-face with someone reading your Secrets aloud to you. And as Wired detailed, the hacker’s process was a terrifyingly simple one.

The hacker wiped his contact book and only added one friend by email — the person whose Secrets he wanted to expose. He then created fifty dummy Secret accounts and added them too. Presto — when he loaded the app, if a Secret was “in his circle,” he knew it was from his target.

The rush of tech readers to delink their Secret posts: A sound heard across the world.

A Secret spokesperson told me, “To be clear,  there still remains no way to verifiably associate a post with a phone number, email address or Facebook ID in Secret. The hack that Wired covered required deduction – the hacker asked David if the post was his, there was no ID or phone number discovered, and has been addressed.”

Fortunately, the hacker who discovered the flaw reported it to the company through the HackerOne bug bounty program and Secret told Wired it has since been patched. More worrisome, perhaps, is that fact that according to Wired this flaw had been surfaced before by Russian white hat hackers, was fixed by Secret, and then somehow resurfaced again.


Even more so than cyberbullying, security issues like this could fell the company. If people using the app don’t believe the Secret they post is safe, they’re going to post far less frequently, and they’ll be afraid to post when they really want or need to. The erosion of trust could result in people using the app less and less. A vulnerability like that reported by Wired certainly doesn’t instill a lot of faith in the protective nature of the app. Byttow told the publication, “We do not say that you will be completely safe at all times and be completely anonymous.”

It’s worth noting that there’s no reported case yet of a hacker using the data for “evil.” All bugs found have been by the good guys who report it through the bounty program without compromising user data, which is the point of the whole thing. Secret CEO Daivd Byttow told me, “We greatly value the posts on our bug bounty program, which by design help to fix bugs before they become problems for the community…Many reports are hackers making sure that we’re doing all of the right things, which is the way we want it.”

In other, unrelated Secret news, the company has tightened its community guidelines to try to restrict cyberbullying on the app. Now, you can’t post a Secret with a private person’s name — public figures are still fair game — without Secret removing it, even if you’re saying something nice. To make sure images stay appropriate, Secret has also hooked up with Flickr. A Secret spokesperson tells me they’ve been working on forging this partnership since February. She said, “We’re really excited to see how the beautiful images from their library will bring more expressiveness to the stream.”

People can choose from a library of “billions” of Flickr photos for their background and they can still take and upload a photo in real time, but they can’t upload from their camera roll. Since the Flickr shots are pre-approved, that will help the company scale its image moderation by limiting the number of pictures human moderators have to view. It’s also exactly what Secret’s competitor Whisper does.

Secret seems to be in that startup phase where it’s busy solving one huge, company-threatening problem, only to have another one rear its head. Whether its cyberbullying, country-wide bans, or security issues, Secret is going through a rough patch.


This post was updated with comment from Secret after it was published.