Security News > 2020 > March > Secret-sharing app Whisper shared secrets like last known location and actual password tokens in exposed database

Secret-sharing app Whisper shared secrets like last known location and actual password tokens in exposed database
2020-03-11 13:42

Whisper, a mobile app for sharing those thoughts you'd rather not make public, turns out to be better at sharing secrets than keeping them, spilling a whopping 90 metadata fields associated with users in an exposed database.

In a phone interview with The Register, Dan Ehrlich, security consultant with Twelve Security, said colleague Matt Porter had spotted the unprotected Whisper ElasticSearch database.

Ehrlich observed that while Whisper makes maybe five fields of metadata public in posts, the posts available in the ElasticSearch database have about 90 metadata fields associated with them, including last known geolocation and the actual password token - usable for logging in as that user.

The Whisper app also scores users on their likelihood to be a sexual predator, in the predator probability data field.

In 2014, The Guardian reported that Whisper was tracking the location of its users, even those who declined to be tracked.


News URL

https://go.theregister.co.uk/feed/www.theregister.co.uk/2020/03/11/secret_sharing_app_whisper_shared_secrets_in_exposed_database/