Yik Yak flaw let hackers deanonymize and take control of your account

Sharing your innermost secrets on the web anonymously isn’t as safe as you thought it was.

Cloud-based security firm SilverSky Labs has unearthed a major flaw in anonymous social messaging app Yik Yak, which displays a feed of anonymous messages based on a user’s location. Yik Yak fails to encrypt a seemingly “innocuous” component of the app, which ultimately led to the vulnerability, the firm said in a blog post issued on Friday.

[aditude-amp id="flyingcarpet" targeting='{"env":"staging","page_type":"article","post_id":1620520,"post_type":"story","post_chan":"none","tags":null,"ai":false,"category":"none","all_categories":"business,security,social,","session":"C"}']

SilverSky Labs says that it alerted Yik Yak on December 2 to the vulnerability and that the company was fast to respond, pushing out a security fix in the form of an app update the following morning.

Still, that this glaring vulnerability ever existed is shocking for an app that promises secure anonymous sharing of your top secret thoughts.

The problem starts with Yik Yak’s login process. The app requires only a user ID — no password. If you can figure out what a person’s user id is, you can gain access to their full account.

Yik Yak uses HTTPS to encrypt communication between the app and the server, so potential attacks can’t monitor traffic between the two — which would be one way to find someone’s user ID. But of course, Yik Yak doesn’t just communicate with its server. There are plenty of third-party applications Yik Yak talks to, like mobile analytics tool Flurry.

It seems that Flurry disables HTTPS, so all the information exchanged between Flurry and Yik Yak appears in plain text. Meaning, anytime a user launches the Yik Yak app, their user ID appears in the communication chain between Flurry and Yik Yak. Anyone watching that traffic now has a user ID.

In a more robust blog post, SilverSky’s researchers explain how to deanonymize the account by looking for clues, like an IP address, and how attackers can achieve a full takeover of the account. Once an account is taken over, hackers have full control of posts:

“An attacker is able to view all of the target’s previous posts, make new posts, and literally log in to the app using the target’s credentials. This attack can be easily conducted by anyone on the same network as the target; which is a very common situation for Yik Yak’s main demographic: college students. As an example of an attack, hacktivists could exploit this vulnerability to identify bullies on their school’s WiFi network.”

However, it is perhaps naive for users to think that they can have a forum that’s secure, anonymous, and public at the same time. Account vulnerabilities like this one, are not an issue singular to Yik Yak. Plenty of other anonymous messaging platforms, most notably Snapchat, have been shown to have similar vulnerabilities.

Anything a person ever says or does may ultimately hold consequences regardless of the circumstances under which they were said. The SilverSky team sums it up nicely at the end of their post: “Be careful what you say or do on social media. You’re probably not as anonymous as you think.”

[aditude-amp id="medium1" targeting='{"env":"staging","page_type":"article","post_id":1620520,"post_type":"story","post_chan":"none","tags":null,"ai":false,"category":"none","all_categories":"business,security,social,","session":"C"}']

VentureBeat has reached out to Yik Yak, but the company has not yet returned our request for comment.