If you were a college student a several several years ago, chances are you have read about – and maybe made use of – Yik Yak, an nameless bulletin board application that confirmed a feed of posts from a unique place.
The app, released in 2013, was subsequently shut down in 2017 after consumers pointed out that it could be used to anonymously bully and harass folks, amongst other terrible issues. Yik Yak designed a thing of a comeback but the core challenges remained.
But it turns out that Yik Yak wasn’t so anonymous following all, according to a researcher speaking to Motherboard.
Yik Yak privacy flaw
Personal computer science scholar David Teather manufactured a rather ingenuous way to take a look at out Yik Yak’s privateness smarts and found the application was very seeking.
Using the open-resource mitmproxy device, Teather intercepted knowledge from and to Yik Yak by pretending to be the app by itself. Just about every article on the support incorporates an actual GPS coordinate and a one of a kind ID (this kind of as nrCi213RA3SncY6mVLZzuGUIJ2T2), the two of which can be used to de-anonymise Yik Yak people.
In his very own site post, Teather goes into a lot much more depth on accurately how and why Yik Yak was accomplishing this, which leaves all-around two million remaining consumers at danger.
A silent update
“I disclosed what I discovered to the YikYak group on April 11, 2022,” Teather reported. “Practically a thirty day period later on Could 8, 2022 (1 working day ahead of general public disclosure day), they responded by taking away the user id staying returned for posts and opinions nonetheless this is not enough to guard privacy as it’s trivial to regain this details.”
But not a whole lot took place until eventually Yik Yak launched edition 1.4.3 all-around May 11, which designed some slight changes, mainly this means that the GPS location knowledge was significantly less correct.
I found out that @YikYakApp is exposing millions of consumer locations by sending precise GPS coordinates of all posts and comments (exact within just 10-15 feet) to the app, these can be harvested by destructive actors to track buyers places.https://t.co/pgT809okv7May well 9, 2022
Even though this is pretty much absolutely a constructive alter, Teather observed that it was even now attainable, albeit a bit more durable, to extract exact locale details.
Yik Yak did not respond to several requests for comment from Motherboard.