Connect with us

Hi, what are you looking for?

Cyber Security

Yik Yak fixes information disclosure bug that leaked users’ GPS location

‘Anonymous’ social network Yik Yak took more than three months to address vulnerabilities that meant it wasn’t anonymous at all, despite reports from two different security researchers.

Launched in 2013, Yik Yak allows users to message one another anonymously, but was shut down in 2017 after allegations of cyberbullying. It restarted last year, and currently claims around two million users.

Earlier this month, Wisconsin-based computer science student David Teather revealed that he’d been able to access users’ precise locations, accurate to within 10ft to 15ft, along with user IDs, for all posts and comments made on the site.

This, he pointed out, meant that, particularly in rural areas, it could be possible to locate a user’s home address, potentially for the purposes of theft or stalking.

The researcher was able to do this by intercepting HTTP requests from the client using the open source Mitmproxy tool. This, he says, was “fairly trivial to do”.

Duplicate findings

Teather submitted his findings to Yik Yak on April 11, not knowing that another researcher, Mika Melikyan, had reported the same problem months earlier.

“We discovered similar issues, but Mika dug deeper than myself and was able to become an admin on the Yik Yak database,” Teather tells The Daily Swig.

“I was not aware of his work, but he reported his issues to Yik Yak in February.”

Melikyan says his February 1 report focused on the GPS data breach.

“However, more vulnerabilities were discovered, such as: any user could escalate their privileges and become an admin, any user could modify or delete arbitrary posts on the timeline, any user could modify the ‘upvote’ count on arbitrary posts,” he tells The Daily Swig.

“This meant that an attacker could alter any post to have thousands of upvotes. This is dangerous because it can be used as a tool to artificially generate social acceptance. Imagine, right before elections, an anonymous post was made that praised a presidential candidate and altered to have 100,000 upvotes.”

Under-the-hood changes

With the two researchers reporting independently, Yik Yak made changes on May 8 that resulted in the app no longer returning user IDs to the client. On May 18, it went further, reducing the accuracy of GPS location, as well as the distance between users.

However, says Melikyan, “there were multiple Yik Yak app updates between February 1 and May, none of which addressed the vulnerabilities. Developers were fully aware of it, and they did not prioritize it.”

We’ve contacted Yik Yak for a response, and will update if we receive a reply.

Source: https://portswigger.net/daily-swig/yik-yak-fixes-information-disclosure-bug-that-leaked-users-gps-location

Advertisement. Scroll to continue reading.
Click to comment

Leave a Reply

Your email address will not be published. Required fields are marked *

You May Also Like

Cyber Security

A new report says a cyber threat actor within Russia’s military intelligence service leveraged a novel malware campaign targeting Android devices used by the...

Cyber Security

Actors linked to adversarial nations — namely China and Russia — worked across platforms to push inaccurate content, according to a report released Tuesday....

Business News

LONDON (AP) — Starting Friday, Europeans will see their online life change. People in the 27-nation European Union can alter some of what shows up when...

Cyber Security

Google has published its annual 0-day vulnerability report, presenting in-the-wild exploitation stats from 2022 and highlighting a long-standing problem in the Android platform that...

Copyright © 2023 Newsworthy News | Global | Political | Local | All News | Website By: Top Search SEO