Yik Yak, the anonymous social media platform that allows people to make posts that are visible to other users within two miles or so, has been a hit with the kids: high school and college students have pushed it into the top 30 in the iOS App Store. One not-so-small issue: a flaw allows hackers to de-anonymize a user and take total control of an account.
Yik Yak is anonymous—so, users can post personal thoughts and ideas without fear of reprisal. That can be a cathartic exercise, a hook-up mechanism, a way to find commiseration on difficult topics, or, sadly, a path to carrying out potential cyber-bullying. But in all cases, users expect their identity to remain concealed. The app’s description notes that it affords users a way to "share your thoughts with people around you while keeping your privacy.”
While analyzing popular mobile applications, SilverSky Labs researcher Sanford Moskowitz unearthed a critical vulnerability in Yik Yak’s iOS app: a lack of encryption in a seemingly innocuous part of the app.
“An attacker is able to view all of the target’s previous posts, make new posts and literally log in to the app using the target’s credentials,” he explained in an analysis. “This attack can be easily conducted by anyone on the same network as the target; which is a very common situation for Yik Yak’s main demographic: college students.”
Call it a “Yak Hack.”
As an example of an attack, hacktivists could exploit the vulnerability to identify bullies on their school’s Wi-Fi network, he noted—potentially an altruistic undertaking, but one that opens the door to compromising non-bullies’ privacy.
SilverSky contacted the Yik Yak team to report the issue on December 2, and the app has now been updated to mitigate the problem.
“However, the existence of such a vulnerability should act as a warning to those who abuse the benefits of anonymity,” Moskowitz said. “Users of any ‘anonymous’ service can still be held accountable for their actions; you never know who is listening. Be careful what you say or do on social media. You’re probably not as anonymous as you think.”