‘App to anonymously rate people forwards contacts’ – update
Sarahah, a popular app that allows users to anonymously rate each other, sent users’ contacts and email addresses to a central server upon installation. According to the maker, that functionality should have been removed.
Researcher Zachary Julian of security firm Bishop Fox discovered the “feature” when he examined the traffic of the Android version and later the iOS version of the app with the Burp Suite tool. He shared his findings with The Intercept. According to the site, the app asks for permission to read contacts, but it is not clear in advance that these will be forwarded. There would also be no function in the app that requires the data.
Initially, the app’s creator, Zain al-Abidin Tawfiq, did not respond to a request for comment from The Intercept. After publication of the article responded he went on to Twitter, claiming that it was intended to find friends, but that this functionality was delayed due to technical problems. The server would not currently save the contacts and the app should no longer ask for the data after a new update. The function should have been removed from the app by a former partner, according to the maker.
Will Strafach, director of security company Sudo Security, explains to The Intercept that what a server does with the data is unverifiable. It would also not be possible to check whether the data is handled in a secure manner.
The app Sarahah, which means “honesty” in Arabic, allows users to rate each other anonymously. The Play Store shows that the Android version has between 10 and 50 million downloads. According to The Verge, the app has been very popular for a number of months.
Update, 8/29: The article initially mentioned e-mails instead of e-mail addresses, which has been changed.