Hackers Just Proved That Secret Isn't Really Secret

It's the worst fear of narcissists around the globe: Those confessions, those private things, those secrets you've been sharing on the popular app Secret aren't actually secret. Well, narcissists of the globe, your worst fear has come true. Secret isn't really secret.

A duo of security researchers—Benjamin Caudill and Bryan Seely—recently discovered a hack that allowed them to identify the user behind supposedly anonymous messages on Secret. Like good white hat hackers do, they told Secret about the vulnerability, and Secret says they've now fixed the problem. But the simple fact that it was possible—and frankly, pretty easy—to dox secret spillers is reason enough to be nervous about the app's security on the whole. This also isn't the first time Secret's suffered from security problems.

The hack was relatively simple. Secret only shows you a stream of your friends and friends of friends if more than eight of your friends use the app. However, the company failed to account for bots, which Caudill and Seely easily created using a simple script. Once they had loads of fake accounts, they would connect with one friend and then just watch the stream. The bots did not post, so anything that hit the feed had to come from that one friend. Anonymous no more! The duo successfully identified several people and their secrets, including those of Secret founder David Byttow.

It almost seems silly that such an easy trick worked. And even though the hack doesn't let you identify the user behind any given secret, it does show how allegedly anonymous services fail to stay secure in the face of a couple of clever hackers. So even though this hole's been patched, who knows how many more holes haven't been discovered yet? [Forbes]