Follow Slashdot stories on Twitter

 



Forgot your password?
typodupeerror
×
Privacy Security

900 Million Secrets From 8 Years of 'Whisper' App Were Left Exposed Online (washingtonpost.com) 32

Long-time Slashdot reader AmiMoJo shares a startling report from the Washington Post: Whisper, the secret-sharing app that called itself the "safest place on the Internet," left years of users' most intimate confessions exposed on the Web tied to their age, location and other details, raising alarm among cybersecurity researchers that users could have been unmasked or blackmailed.

The data exposure, discovered by independent researchers and shown to The Washington Post, allowed anyone to access all of the location data and other information tied to anonymous "whispers" posted to the popular social app, which has claimed hundreds of millions of users. The records were viewable on a non-password-protected database open to the public Web. A Post reporter was able to freely browse and search through the records, many of which involved children: A search of users who had listed their age as 15 returned 1.3 million results.

The cybersecurity consultants Matthew Porter and Dan Ehrlich, who lead the advisory group Twelve Security, said they were able to access nearly 900 million user records from the app's release in 2012 to the present day. The researchers alerted federal law-enforcement officials and the company to the exposure.

Shortly after researchers and The Post contacted the company on Monday, access to the data was removed.

This discussion has been archived. No new comments can be posted.

900 Million Secrets From 8 Years of 'Whisper' App Were Left Exposed Online

Comments Filter:
  • Wow! (Score:4, Funny)

    by nospam007 ( 722110 ) * on Saturday March 14, 2020 @11:38AM (#59830138)

    Almost comparable to the effect, when finally the catholic database of worldwide confessions with photos, names and addresses will go online next week.

    • Protestantism: No priest confessions since the 16'th century.

      You just have to consider God having your secrets, and he has much better security.

  • Damn. Now we'll never know who stole the cookies from the cookie jar.
  • by lgw ( 121541 )

    Anyone heard any details of what the mistake was? I even *gasp* read TFA and didn't see any. So often these stories are "Amazon S3 buckets with world-readable access", because that was the default for so long. But Amazon finally fixed that a couple years back IIRC, so I'm curious now how idiots are managing to expose their company's entire data set online these days. What's the new "don't be that guy"?

  • by backslashdot ( 95548 ) on Saturday March 14, 2020 @11:51AM (#59830160)

    George Michael was right.

  • Consequences (Score:3, Insightful)

    by jackityquack ( 2038234 ) on Saturday March 14, 2020 @11:54AM (#59830164)
    There really needs to be serious consequences for this kind of thing. It keeps happening and the market is obviously not solving the problem. We need government to step in and severely fine these companies for being so terrible at securing OUR data.
    • Comment removed (Score:4, Insightful)

      by account_deleted ( 4530225 ) on Saturday March 14, 2020 @02:53PM (#59830638)
      Comment removed based on user account deletion
      • by AmiMoJo ( 196126 )

        Irrelevant. They said it was safe, sold the service on that basis. It wasn't, they lied, that's fraud.

        If it's not safe don't claim it is.

        • Comment removed based on user account deletion
          • While I agree that users should exercise more caution, just because someone promised things are obviously a scam or un-doable doesn't mean people shouldn't try to hold the said company accountable for failing to live up to their promise resulting in people getting harmed.
        • by AmiMoJo ( 196126 )

          At least one moderator does not understand the law. If you claim something is safe and it turns out not to be then it creates legal liability and you are opened up to lawsuits to redress your error or lies.

    • Here's a simple rule to follow: If what you put "privately" online would ruin your day/life if it got out ... DON'T PUT IT ONLINE. This PSA brought to you by the folks at "No Shit Sherlock, Inc."
      • by AmiMoJo ( 196126 )

        That would be a massive failure of technology. If we can't even use the internet to communicate privately we have screwed up massively.

        Fortunately we can and regularly do. Accessing your bank's web site is generally secure, despite you having "put your banking details online". Communicating with Signal and even WhatsApp is secure due to end to end encryption, despite your private communications being "online".

        Don't believe me? The cops would like a word with you, they have been wasting their time trying to

        • That would be a massive failure of technology. If we can't even use the internet to communicate privately we have screwed up massively.

          Except the internet wasn't designed for privacy. And he daily breaches would seem to agree with that.

          The concept of people divulging embarrassing, or criminal confessions onto a database seems a whole lot like something set up by law enforcement to aid in parallel construction, that I wonder if that might have been Whisper's true purpose. Not likely anyone would care about somoene screwinf the next door neighbor's spouse, but if someone confessed to a murder, you can bet they could be found - the resour

    • Why ever would the government want to protect that data? They're one of the main customers! They don't have to care about silly rules and laws when a third party gathered the data for them and they just have to pay for it.

  • so I have to assume Whisper didn't have end-to-end encryption, and the "private text" was being sent to the server and to the recipient in plain-text? (or maybe it was encrypted, but using a static key that was present on all of the installations?)

    Or they used some weak encryption that was easy to break for the entire encrypted message database?

    Or was this a case of back door abuse? Like end-to-end encryption that has a govt backdoor so they can give the key to countries that insist on having it before all

    • Perhaps “web scale” MongoDB has struck again...

    • by lgw ( 121541 )

      It's almost always the cloud-based data store was left world-readable an unencrypted. For about a decade, every story like this turned out to be world-readable S3 buckets. A couple years back, Amazon finally changed the default on S3 to something sane, so we have to find a new form of idiocy. Still wondering what new folly these guys found.

    • by Anonymous Coward
      I interviewed at this company many years ago, and it was ridiculous - the tests they gave me had absolutely nothing to do with the job they were hiring for. Glad I found a job elsewhere. At the time they were all working in a house in a very expensive part of santa monica, and it looked and felt much like the house from the show Silicon Valley. One of the guys was just too full of shit for me to ever consider working there. One of the interviewers had to be woken up to interview me, and he only seemed half
  • Peak stupid! (Score:4, Interesting)

    by Brett Buck ( 811747 ) on Saturday March 14, 2020 @12:56PM (#59830316)

    Whisper, the secret-sharing app that called itself the "safest place on the Internet," left years of users' most intimate confessions exposed on the Web tied to their age, location and other details, raising alarm among cybersecurity researchers that users could have been unmasked or blackmailed.

            OK, we have a new low. People thought it was a good idea to take a "secret" that would have significant real-world repercussions if known - and to *post it to the internet* . Not only that, they did it after posting their own personal identifying data?! The mind boggles.

  • The article starts with this:
    Long-time Slashdot reader AmiMoJo
    It should start with this:
    Long-time Slashdot idiot AmiMoJo
  • by ceoyoyo ( 59147 ) on Saturday March 14, 2020 @01:46PM (#59830468)

    It should be interesting reading through this database. What a window into people's most intimate secrets.

    Later....

    God people are boring.

  • Whisper was an obvious honeypot. Surely no one on Slashdot is surprised that they kept a cleartext database of their users' "secrets"?

    • Whisper was an obvious honeypot. Surely no one on Slashdot is surprised that they kept a cleartext database of their users' "secrets"?

      Actually a fishing expedition, but you are spot on about the purpose. They kept location data and if someone posted something juicy enough for law enforcement, they would use it, probably for parallel construction. But when you know the perp, you have a great place to build a case.

  • That is the "nice" thing about the human race: Just when you think that somebody has fucked up in a truly unsurpassable way, somebody else fucks up worse. And, again, a halfway competent external pen-test would have found this. Arrogance and stupidity in the usual fatal combination.

No spitting on the Bus! Thank you, The Mgt.

Working...