[BreachExchange] Whisper app which lets people make anonymous confessions online leaves database of 900 MILLION messages exposed with personal data that could leave users open to blackmail

Destry Winant destry at riskbasedsecurity.com
Thu Mar 12 10:09:50 EDT 2020


https://www.dailymail.co.uk/sciencetech/article-8097319/Whisper-lets-people-make-anonymous-confessions-leaves-bucket-900-MILLION-messages-exposed.html

Nearly 900 million confessions and secrets posted to the app Whisper
were left exposed on a non-password-protect database open to the
public internet.

Although messages were not tied to real names, 'a user's stated age,
ethnicity, gender, hometown, nickname and any membership in groups,
many of which are devoted to sexual confessions and discussion of
sexual orientation and desires' were visible, according to The
Washington Post.

The public was able to browse and search through the records, many of
which were posted by children – The Post found 1.3 million results
were connected to users who listed their age as just 15 years old.

The database was discovered by the advisory group Twelve Security,
which said the personal information tied to the messages was enough
'to unmask or blackmail' the user who shared the post.

However, the firm has rejected the findings stating the posts and
their ties are 'a consumer facing feature of the application which
users can choose to share or not share.'

Nearly 900 million confessions and secrets posted to the app Whisper
were left exposed on a non-password-protect database open to the
public internet

Matthew Porter and Dan Ehrlich, cybersecurity consultants with Twelve
Security, alerted authorities and Whisper of the exposed database and
access has been removed as of Monday.

'No matter what happens from here on out, the data has been exposed
for years,' Olbert said adding that people could 'have their lives
ruined and their families blackmailed because of this.'

Whisper shared a statement on Tuesday saying that much of the data is
intended to be visible to users in the app, but the exposed database
was 'not designed to be queried directly.'

'This has very much violated the societal and ethical norms we have
around the protection of children online,' said Ehrlich, who also
discovered the data leak in Wyze that occurred last year.

He also said Whisper's actions are 'grossly negligent.'


The exposed bucket has been online for years and contains enough
information to unmask the user that shared the post. Whisper
encourages people to share their darkest secrets with the promise they
stay anonymous

However, Lauren Jamar, vice president of content and safety at
Whisper's parent company MediaLab, has disputed Twelve Security's
discovery, saying posts and their ties are 'a consumer facing feature
of the application which users can choose to share or not share.'

But Porter and Ehrlich are not buying Jamar's statement, as anyone was
able to download the information in bulk, placing users involved at
risk of privacy issues.

Whisper deems itself the 'safest place on the Internet' with its
promotional material stating that it is 'the largest online platform
where people share real thoughts and feelings … without identities or
profiles.'

The messages were tied to the user's location in which they shared the post.

The team was able to see the location for hundreds of military bases
around the world and their exact coordinates.


Whisper has rejected the findings stating the posts and their ties are
'a consumer facing feature of the application which users can choose
to share or not share'. Researches who uncovered the database hit back
saying the bucket could have been downloaded by anyone, which is a
security issue

This information was gathered in part of Whisper's project in
analyzing suicide rates among the military for an undeveloped research
proposal with the Defense Department.

WHISPER: THE 'ANONYMOUS' APP

Whisper, which has its headquarters in Los Angeles, was set up two
years ago with the aim of allowing users to post messages anonymously
enabling them to share intimate details about their private lives.

Users, who do not have a public identity, send out short posts
displayed as text superimposed over an image.

People can then respond to a message either publicly or privately.

There have been reports that Whisper's popularity has grown so much
and as of 2015 it gained 10 million users on the platform.

This is not the first time Whisper has come under fire, as in 2014 the
firm was accused of of monitoring the whereabouts of its users -
including some who have specifically requested not to be followed.

There are claims a team at the company is tracking users it thinks are
newsworthy - including military personnel, people working at Disney
and a 'sex-obsessed lobbyist' working in Washington DC.

The claims were made by the Guardian newspaper which suggested Whisper
was occasionally sharing information with the US government.

Rejecting any wrongdoing, it told the newspaper that it 'does not
follow or track users' and said it was false to suggest it was
monitoring people without its consent.

However, the Guardiam which gathered this information while vising the
company's headquarters, said Whisper has acknowledged it researched
locations of people who they considered were sending out newsworthy
messages - adding that this was typically done using GPS data.


More information about the BreachExchange mailing list