Whisper, a Social Media App That Promises Anonymity, Exposes 900 Million User Records
The difference between Whisper and more conventional social media platforms like Facebook or Twitter is that you don't need to enter any personal information in order to use it. Instead, you just pick a username, state what age you are, and you can freely share your thoughts. This being a social network, other people do get to see them, but they have no idea who wrote them.
Whisper left 900 million user records in an unprotected database
Because of the promised anonymity, users are encouraged to post things they'd normally avoid publicizing, and they are told that by using Whisper, they are sharing their deepest secrets on "the safest place on the internet." It's a bold claim that sounds somewhat weird when you consider that the app's official website loads over HTTP rather than HTTPS by default. It gets weirder still when you realize that the same application left a database with no fewer than 900 million user records exposed to the internet.
The discovery was made last week by researchers from Twelve Security. The 5TB Elasticsearch cluster was accessible to anyone connected to the internet, it was not protected by a password, and some of the information contained in it dated back to Whisper's launch in 2012.
Was the data exposure that serious?
Shortly after discovering the database, Twelve's experts contacted the FBI and The Washington Post. The Post helped them get in touch with MediaLab, the application's developer, and on Monday, the database was taken offline. Despite the relatively quick reaction, MediaLab argued that there's nothing too worrying about the leak.
According to representatives who spoke to The Washington Post, users had willingly decided to share most of the data within the Whisper app anyway, which meant that although it wasn't supposed to happen, the exposure wasn't such a huge deal. They were talking about the millions of user posts that were leaked, and their argument was that the leak didn't put users' anonymity in any immediate danger. The security experts, however, weren't so sure.
The leaky database didn't hold any names, but it contained individual users' stated age, gender, hometown, nickname, and group memberships. If someone was trying to figure out the identity of a Whisper user, that data could have narrow down the possibilities significantly. Couple this with the fact that the last known location of the affected users was also revealed, and you'll see that tying a leaked post to a real individual was far from impossible. After The Post's report, The Register also got in touch with the researchers and realized that the range of exposed metadata was even greater than initially anticipated. It turns out that password tokens were also included in the database, and the researchers confirmed that using them, they could log into people's accounts. Suddenly, the problem seemed much bigger than MediaLab's representatives would have you believe. For those of you following the news around the Whisper app closely, this might be a bit of a déjà vu moment.
This is not the first security-related controversy around Whisper
Back in 2014, Guardian reporters were invited to Whisper's HQ to discuss a potential partnership between the news outlet and the social media application. While they were there, they learned that Whisper had mechanisms in place that would track people's location, even when the users had explicitly opted out of this.
After the report came out, representatives of the social network denied all allegations and publicly accused the British newspaper of publishing lies. Eventually, the said representatives were fired, and the tracking was apparently stopped.
Right now, MediaLab employees are once again trying to convince the public that things are not as bad as the news reports suggest, and unfortunately, we have to say that they have not really done enough to assure us that this is more than just an attempt to downplay the seriousness of the situation.