clock menu more-arrow no yes

Filed under:

Security intern uncovers major vulnerability in Yik Yak messaging app

New, 18 comments

Yik Yak pitches itself as an easy way to post anonymous messages to users in your area, but a new report suggests the popular app may have a real security flaw on its hands. Written by Sanford Moskowitz, a security research intern at SilverSky Labs, the report details how an attacker on the same Wi-Fi network as his target could take complete control over the target's Yik Yak account, using only a monitor-friendly network card and a packet analyzer like Wireshark. If Moskowitz's report holds up, it could present a real problem to the increasingly popular app, which has billed casual anonymity as one of its chief selling points.

A way to take complete control over a target's Yik Yak account

The heart of the vulnerability is Yik Yak's UserID, a string of characters used to authenticate each user to the service as a whole. Because the UserID is Yik Yak's only form of authentication, you can effectively masquerade as any user once you have their UserID. Communications between the app and the Yik Yak server are protected over HTTPS, effectively disguising the UserID, but the app also communicates with servers for various third-party ads and analytics tools, some of which are less careful about disguising the UserID.

Moskowitz seized on one particular tool called Flurry that transmits the UserID in plaintext, exposing it to anyone who might be listening in from the same Wi-Fi network. From there, taking over a user's account is as simple as launching a modified version of the program that subs in the new UserID, a process Moskowitz walks through in detail. Moskowitz doesn't say if he disclosed the bug to Yik Yak before publishing his report online, so it's possible this news is taking the app team by surprise. A similar vulnerability had been previously reported for the Android version of the app and has yet to be addressed. We have reached out to the Yik Yak team, and will update with any response.