Skip to main content

Sarahah app exposed for quietly uploading users' contacts to company servers without proper permissions


The anonymous messaging app Sarahah has been uploading your phone’s contacts to the company’s servers without your knowledge or permission. The security loophole was first discovered by analyst Zachary Julian and The Intercept was the first publication to report the same. The harvesting of a user's contacts is a big setback for users of the Sarahah app and opens them up to multiple security risks. Sarahah's privacy policy states that it will not sell user data to third parties unless it is part of bulk data used for statistics and research.

The Sarahah app has recorded millions of downloads on the Google Play Store and the Apple App Store combined. According to Julian, the app that plays on getting users “honest feedback” from their friends, quietly harvests and uploads its user’s phone contacts to the company’s servers.These include all phone numbers and email addresses stored in your device’s address books.

While Sarahah does ask for permission to access a user’s contacts, it does not specify that the same are being uploaded and stored on its servers. Julian, a senior security analyst at Bishop Fox, installed the Sarahah app on a Galaxy S5 running Android 5.1.1. The device was running a security monitoring software called BURP Suite, which allowed him to see data from his phone being sent to remote servers. On installing and running Sarahah, Julian discovered that the app was sending his personal contacts data to the company’s servers without proper permissions.

The transfer of user contacts and emails to the Sarahah servers is not limited
to the Android OS and the same also occurs on iOS devices after the app procures permissions to “access contacts.” As per Julian’s testing the if users don’t access the Sarahah app for a few days, it pushes contacts data all over again when rebooted. When Julian tried rebooted the app after a gap on two days, all his contacts were pushed to the Sarahah servers again.

After this security flaw was discovered, Sarahah creator, Zain al-Abidin Tawfiq tweeted that the contact storing behaviour will be removed from the app in future updates and was put in place for a “find your friends feature.” He also told The Intercept that the feature was supposed to be removed by a partner who he has stopped working with, but the partner somehow “missed that.” Tawfiq went on to claim that the function of storing contacts was removed from the servers and that Sarahah servers no longer store any contacts, but his claim is unverified as security researchers cannot possibly know what happens at the server end of the app.

Twitter @ZainAlabdin878
“The privacy policy specifically states that if it plans to use your data, it’ll ask for your consent,” said Julian. While the app does specify it will access contacts, as per Julian, it is not “enough consent” to justify “sending all of those contacts over without any kind of specific notification.” On iOS, while the app claims it will show you who in your address book is using the Sarahah app, it does not do so.

“Sarahah has between 10 and 50 million installs on just the Play Store alone for Android, so if you extrapolate that number, it could easily get into hundreds of millions of phone numbers and email addresses that they’ve harvested,” Julian said.

You can view some of Julian’s tests of the Sarahah app in the video below

click Here: https://vimeo.com/231153024

Comments

Post a Comment

Advertisement

Popular posts from this blog

Galaxy S9 benchmarks might’ve just leaked, and the iPhone X crushes them

Credit: Benjamin Geskin With the iPhone X release now behind us, it’s time to turn our attention to the next big flagship smartphone launch: Samsung’s Galaxy S9. After this year’s Galaxy S8 and Galaxy S8+ were a somewhat minor update in terms of hardware design, rumor has it that Samsung is planning a more substantial visual refresh early next year when it debuts not one, not two, but three new Galaxy S9 models. It’s not clear if they’re all launching at the same time, but it looks like Samsung will debut a Galaxy S9 mini in addition to the Galaxy S9 and Galaxy S9+. We’ve also heard rumblings about the Galaxy S9’s specs, which are expected to be quite impressive. The stars of the show are expected to be the upcoming Qualcomm Snapdragon 845 chipset and Samsung’s new Exynos chipset built on second-generation 10nm process technology. But according to a new leak, Samsung’s best efforts with the Galaxy S9 still might not come anywhere close to measuring up to the iPhone X. S...
Post a Comment
Read more

Best Budget Smartphones in India for November 2017

If you are buying a smartphone in India, chances are you are buying something in the budget mobile range and there is huge catalogue to choose from. These budget mobile which are able to perform at par with entry level flagship devices. So, we put together our list of the top budget smartphone in India for November 2017 across various brands. Our Top 10 list gives best options for buyers wanting a smartphone available in a budget. These phones offer the best possible value in terms of specs, features and build quality. 1. Moto G5 Plus The Moto G-series has finally made a comeback and the G5 Plus is now one of the best budget smartphones available today. The performance might not be the best, but it definitely is the best camera phone in a budget. The phone has an improved design than last year and in our testing we found the Qualcomm Snapdragon 625 quite dependable. You also get Android Nougat 7.0 out of the box and we can expect it to get the next Android update...
Post a Comment
Read more

Here's a list of top Android smartphones which flaunt edge-to-edge displays with 18:9 aspect ratio.

Image Source: Phonearena 2017 is the year of edge-to-edge display as we see manufacturers from Xiaomi to Samsung embracing the new aspect ratio of 18:9. With narrower bezels, not only are elements home button and navigation buttons removed, but such displays also take a user’s viewing and engaging experience a notch higher. If you are a fan of bigger displays with thinner bezels, here is our list of top smartphones which boast the newer display design, and are priced under Rs 40,000. OnePlus 5T Image Source: Neowin Fresh in the market, OnePlus 5T launched last night, and among its highlights is the new edge-to-edge display. As a successor to the OnePlus 5, the newly-launched 5T features a massive 6.01-inch Full Optic AMOLED display with full HD+ (2160×1080 pixels) resolution and 2.5D Corning Gorilla Glass 5 protection. The narrow bezel design is one of the factors that differentiates it from the OnePlus 5. With dual cameras as the second highlight, OnePlus 5T w...
Post a Comment
Read more