Researchers have found a serious security bug in the anonymous message platform Yik Yak that exposed user data. While the platform claims to ensure anonymity, the bugs conflicting with this intended purpose remained unpatched for quite a long time.
Yik Yak Bug Leaking Users’ Info
Reportedly, a serious information disclosure bug existed in the Yik Yak platform that potentially risked users’ anonymity.
Yik Yak is a messaging app that allows users within close proximity to communicate anonymously via threads and discussions. It’s a popular app with an estimated 2 million user base.
This functionality means that the app should hide the users’ details to the maximum extent possible. However, the vulnerability in question disrupted this intention.
According to the researcher David Teather, the app exposed the GPS coordinates of users, with up to 15 ft accuracy. This bug appeared as the threads and comments returned the user ID. In turn, the user ID and GPS coordinates, when linked, could easily de-anonymize a user. Explaining the impact of this information disclosure, the researcher stated in his post,
Since people are more likely to use their phones thus YikYak at home it’s possible to figure out the area where a user lives within 10-15 feet. This ability to de-anonymize is much more of a risk in low density rural areas… Since user ids are persistent it’s possible to figure out a user’s daily routine of when and where they post YikYaks from, this can be used to find out the daily routine of a particular YikYak user.
Patch Deployed… Eventually
According to the Daily Swig, the vulnerability caught the attention of two different security researchers. While the latest bug report arrived from David Teather, before him, another researcher Mika Melikyan also disclosed the same bug in a separate post. Like Teather, Melikyan also reported the matter to the app developers. However, the bug remained unpatched for quite long a time, potentially exposing the users’ information online.
Eventually, the app developers seemingly decided to address the matter, and hence, they started releasing the fix. According to Teather, the developers first rolled out the Yik Yak version 1.4.3. However, it didn’t completely patch the bug. Ultimately, the developers made further changes with a subsequent update that “rounded all GPS coordinates sent to the client”.
Describing more about the fix, Teather stated in his tweet,
Since the information isn't destroyed, it is possible that some attack in the future could leave the exact coordinates exposed. Despite this, I'm glad that they finally changed things and the app is more secure for the privacy of individual users.
— David Teather (@david_teather) May 18, 2022
Let us know your thoughts in the comments.