Your secret posts may not be as secret as you think. A new report from Wired reveals a new attack on the service, allowing researchers to reveal all the posts written by a given author. The attack is simple: researchers at Rhino Security created a network of dummy accounts and left the target's email as the only real name in their contact list. From afar, it looked like they had a big group of friends, so Secret let them use the app normally, but really it was one real person surrounded by dummies. Since there was only one real account, they could conclude that any posts that showed up were written by the target. The result is a full list of your favorite friend's Secret posts, all indelibly tied to his or her name.
It's not a novel attack so much as a brief slip in Secret's war on bots
To a lot of people in the security world, this is old news. The attack has been known for a while, and it works off a vulnerability that's built into the nature of Secret itself. The app's main anonymity protection is the friend pool. You need a few dozen contacts to join, so any individual post could have come from a few dozen different accounts. All you need to beat it is a few dozen dummy accounts, so the fight is always between attackers making bots and Secret weeding them out. Rhino broke through lately because for some reason Secret's anti-bot services have been slacking in the past few weeks. As soon as they learned about the vulnerability, the company closed the loophole, presumably by tuning the bot protections back to previous levels. It's not a novel attack so much as a brief slip in Secret's war on bots.
But who says you need bots at all? Dummy accounts are the fastest way to get enough contacts, especially if you're trying to code your way inside, but why not just make 35 friends who don't post? There's no way for Secret to protect against that. Even Poulsen's example of a sensitive post — "At work I'm being given more and more responsibility. Silently I'm struggling with mental illness" — gives away more than a few clues. You can rule out your unemployed friends off the bat. Has anyone gotten a raise lately? It's always possible to Poirot your way back to the source.
It's always possible to Poirot your way back to the source
That's part of why Secret bills itself as "anonymish" rather than fully secure. It's a strange word: how can you be halfway anonymous? In part, it means you end up trusting your followers not to do too much legwork. Like a masquerade ball, the secrecy is more social than technological. Secret wants to be a place where you can slip out of your identity for a while, but the company has never bothered with the rigors of hard security. The service has it both ways, offering the warm glow of anonymity without the stress of the OpSec world.
It's a good idea, but it comes with a price. From time to time, security veterans like Rhino will call the service out — and anyone who's shared something sensitive on Secret will have to wonder whether they've made a mistake.