Anonymous Social Media App Yik Yak Exposed Users' Precise Locations (vice.com) 5
An anonymous reader quotes a report from Motherboard: The anonymous message board app Yik Yak is designed in a way that it is possible to get the precise location of a user's post, and see users' unique IDs, potentially allowing someone to dox and stalk users, according to a researcher. Yik Yak is an anonymous social media network popular primarily on college campuses. It was launched in 2013. The app shut down completely in 2017, after it was accused of being a platform used to harass and cyberbully students, and even to post bomb threats. These allegations have followed the app since its very beginning. In 2014, the company blocked access to middle school and high school students because of reports of threats of violence and bullying. The app came back last year, a comeback no one was really asking for, as my colleague Gita Jackson pointed out at the time. Yik Yak does have so-called "community guardrails" to "to ensure everyone feels welcomed and stays safe." But students are still reporting the same old problems.
In April, David Teather, a computer science student, analyzed what kind of data Yik Yak exposes by intercepting data sent and received by his Yik Yak app using a free and open source tool called mitmproxy and by writing "code that pretended to be the Yik Yak app to extract information from it." By doing that, he realized that Yik Yak sent the precise GPS coordinates of every post to his app, as well as a user's unique ID -- nrCi213RA3SncY6mVLZzuGUIJ2T2 for example -- which could have allowed him to track users' posts by looking at where they posted over time, opening up the possibility to de-anonymize and stalk users, according to a blog post he published this week. Teather demonstrated the flaw in a video call to Motherboard, showing a post in his area, and its GPS coordinates.
After Teather alerted Yik Yak of this flaw on April 11, the company made some changes and pushed out new versions of the app on April 28, May 9, and May 10. Teather told Yik Yak that he was planning to publish his research on May 9, according to email correspondence that he shared with Motherboard. After Yik Yak pushed the new updated apps, the privacy issues are only partially fixed, according to Teather. Teather said that as of today, on the app's latest version, Yik Yak does not expose GPS locations, and the app doesn't display a user's unique ID when intercepting data the same way he did in April. But, Teather told Motherboard that he is still able to recover both coordinates and user ID by analyzing the app's API from previous app versions. What's worse, the app now shows the distance, in feet, between a user and other users' posts, according to Teather and Zach Edwards, an independent privacy researcher who analyzed the Yik Yak app for Motherboard. "Since the distance is in feet though it should be still possible to triangulate a particular user/post by changing your location until you can figure that out," Teather told Motherboard.
Edwards added: "you can still probably dox someone by merely spoofing your own location and recording the number of feet from the person posting."
In April, David Teather, a computer science student, analyzed what kind of data Yik Yak exposes by intercepting data sent and received by his Yik Yak app using a free and open source tool called mitmproxy and by writing "code that pretended to be the Yik Yak app to extract information from it." By doing that, he realized that Yik Yak sent the precise GPS coordinates of every post to his app, as well as a user's unique ID -- nrCi213RA3SncY6mVLZzuGUIJ2T2 for example -- which could have allowed him to track users' posts by looking at where they posted over time, opening up the possibility to de-anonymize and stalk users, according to a blog post he published this week. Teather demonstrated the flaw in a video call to Motherboard, showing a post in his area, and its GPS coordinates.
After Teather alerted Yik Yak of this flaw on April 11, the company made some changes and pushed out new versions of the app on April 28, May 9, and May 10. Teather told Yik Yak that he was planning to publish his research on May 9, according to email correspondence that he shared with Motherboard. After Yik Yak pushed the new updated apps, the privacy issues are only partially fixed, according to Teather. Teather said that as of today, on the app's latest version, Yik Yak does not expose GPS locations, and the app doesn't display a user's unique ID when intercepting data the same way he did in April. But, Teather told Motherboard that he is still able to recover both coordinates and user ID by analyzing the app's API from previous app versions. What's worse, the app now shows the distance, in feet, between a user and other users' posts, according to Teather and Zach Edwards, an independent privacy researcher who analyzed the Yik Yak app for Motherboard. "Since the distance is in feet though it should be still possible to triangulate a particular user/post by changing your location until you can figure that out," Teather told Motherboard.
Edwards added: "you can still probably dox someone by merely spoofing your own location and recording the number of feet from the person posting."
Anonymity app asks for permission to use GPS.. (Score:5, Funny)
Honeypot (Score:2)
Could anything be this badly designed without being a honeypot for collecting user data?
Time is a flat circle. (Score:2)
Used to work w/ a guy who tried to build a location based mobile social app in 2005. This industry is hopeless.
For children? (Score:2)