U.S. CISA adds a Microsoft SharePoint Server flaw to its Known Exploited Vulnerabilities catalog|430,000 FortiGate Devices Exposed in FortiBleed Ransomware Link|Adobe fixed multiple maximum-severity flaws in ColdFusion and Campaign Classic|Alleged Scattered Spider Hacker Extradited to U.S. to Face Cybercrime Charges|Oracle E-Business Suite Flaw Under Active Attack, 950 Systems Exposed|Azure CLI Targeted in LSHIY Password Spray Campaign Across 64 Orgs|CISA Warns BlueHammer Flaw Is Now Exploited in Ransomware Attacks|RustDuck: The Botnet That’s Still Small but Engineering Like It Plans to Grow|GuardFall Flaw Hits 10 of 11 Popular Open-Source AI Agents|XSS.is, The Forum That Ran the Ransomware Supply Chain Is Down. The Market Isn’t|U.S. CISA adds SimpleHelp flaw to its Known Exploited Vulnerabilities catalog|Hackers Steal Data of 4.38 Million Aflac Japan Customers|U.S. CISA adds a Microsoft SharePoint Server flaw to its Known Exploited Vulnerabilities catalog|430,000 FortiGate Devices Exposed in FortiBleed Ransomware Link|Adobe fixed multiple maximum-severity flaws in ColdFusion and Campaign Classic|Alleged Scattered Spider Hacker Extradited to U.S. to Face Cybercrime Charges|Oracle E-Business Suite Flaw Under Active Attack, 950 Systems Exposed|Azure CLI Targeted in LSHIY Password Spray Campaign Across 64 Orgs|CISA Warns BlueHammer Flaw Is Now Exploited in Ransomware Attacks|RustDuck: The Botnet That’s Still Small but Engineering Like It Plans to Grow|GuardFall Flaw Hits 10 of 11 Popular Open-Source AI Agents|XSS.is, The Forum That Ran the Ransomware Supply Chain Is Down. The Market Isn’t|U.S. CISA adds SimpleHelp flaw to its Known Exploited Vulnerabilities catalog|Hackers Steal Data of 4.38 Million Aflac Japan Customers|
Advertisement

Ad Placeholder

Full Width × 90

APT

Popular Sarahah App secretly uploads your phone contacts to the company’s servers

According to a report published by The Intercept, the popular Sarahah app silently uploads users’ phone contacts to the company’s servers. This summer, Sarahah became one of the most popular iPhone apps in the world for both iOS and Android. Sarahah has been created by Saudi Arabian developer Zain al-Abidin Tawfiq, it implements a social network […]

Sarahah app

According to a report published by The Intercept, the popular Sarahah app silently uploads users’ phone contacts to the company’s servers.

This summer, Sarahah became one of the most popular iPhone apps in the world for both iOS and Android.

Sarahah has been created by Saudi Arabian developer Zain al-Abidin Tawfiq, it implements a social network that lets users send and receive anonymous messages.

Sarahah app

It reached the top of the App Store in many regions, including Australia, Ireland, the U.S, and the UK.

Created by Saudi Arabian developer Zain al-Abidin Tawfiq, the app is essentially a social network that lets you send and receive anonymous messages.

Sarahah means “frankness” or “honesty” in Arabic, the name was chosen because the author believes that people are more willing to be honest when their messages are anonymized like the app does.

Today the Sarahah app has more than 18 Million users that probably ignore that the app may not be as private as they believe.

According to a report published by The Intercept, the app silently uploads users’ phone contacts to the company’s servers.

The discovery was made by the security analyst Zachary Julian, he discovered that once users have installed the Sarahah app for the first time, it harvests and uploads data in the address book.

“Zachary Julian, a senior security analyst at Bishop Fox, discovered Sarahah’s uploading of private information when he installed the app on his Android phone, a Galaxy S5 running Android 5.1.1. The phone was outfitted with monitoring software known as BURP Suite, which intercepts internet traffic entering and leaving the device, allowing the owner to see what data is sent to remote servers.” reads the report published by The Intercept. “When Julian launched Sarahah on the device, BURP Suite caught the app in the act of uploading his private data.

“As soon as you log into the application, it transmits all of your email and phone contacts stored on the Android operating system,” he said. He later verified the same occurs on Apple’s iOS, albeit after a prompt to “access contacts,” which also appears in newer versions of Android. Julian also noticed that if you haven’t used the application in a while, it’ll share all of your contacts again. He did some testing on the app on a Friday night, and when he booted the app on a Sunday morning, it pushed all of his contacts again.”

According to Zain al-Abidin Tawfiq, the contacts functionality was initially implemented to allow you to “‘find your friends’ feature.” anyway it would be removed in a future release.

Zachary Julian highlighted that the privacy policy doesn’t mention uploading data to a server.

“The privacy policy specifically states that if it plans to use your data, it’ll ask for your consent,” Julian said. While the app’s entry in Google’s Play Store does indicate the app will access contacts, that’s not “enough consent” to justify “sending all of those contacts over without any kind of specific notification,” he added.

The good news is that users can block the app form accessing their contacts.

Since Android 6.0 Marshmallow OS, users can limit permissions for apps, just go to

Settings → Personal → Apps, now under Configuration App, open App permission and set the permission according to your needs.

Unfortunatel, around 54 percent of Android users are using older versions that don’t allow to limit permissions, and “users have to be savvy enough to know where to find the app permissions  and around 54 percent of Android users are using older versions that don’t have these permissions, and users have to be savvy enough to know where to find the app permissions (Settings > Apps > Gear button > App permissions).”

[adrotate banner=”9″]

Pierluigi Paganini

(Security Affairs – Sarahah app, privacy)

[adrotate banner=”12″]