
‘Anonymous’ Chat App Hijacks Contact Data - dsr12
https://www.bishopfox.com/blog/2017/08/hot-new-anonymous-chat-app-hijacks-millions-contact-data/
======
Moru
I often meet people that has a secret identity because a former
boyfriend/girlfriend threatens them. They never know about apps harvesting
their contacts and connecting them to common friends until their ex suddenly
shows up again.

This mindset of "If you havent done anything bad you dont have to worry" is so
sad and ignorant of others situation.

~~~
technofiend
This is the problem with an app assuming it understands your web of trust.
There's no way to signal a toxic, unwanted or compartmentalized connection.

It's also why I use multiple profiles in Android to force that
compartmentalization since the snoopy apps have no context it's better to just
deny them the data entirely.

------
yladiz
One thing I hate is when apps do this to get information about your contacts,
not only because they get who you personally know (and their phone number,
email, other info in the contact) but also contacts for businesses you
regularly might interact with, meaning they can potentially create a pretty
detailed web of your life.

For example, it's a dark pattern when you use Messenger, at least on iOS, for
the first time and it says "Upload your contacts to find friends" with an "OK"
button or "Learn More" button, and only after you click "Learn More" can you
ignore it. WhatsApp does something worse; you can't initialize a message with
anyone without allowing contacts, and the only way to add a contact is thru
the phone app (the web app definitely doesn't, and I'm pretty certain the
desktop app doesn't have the functionality to add a contact). I have to go
thru great pains to prevent WhatsApp from getting my contact info, just to be
able to add a new friend (turn off iCloud contacts, enable WhatsApp to see my
contacts, then add the contact). Maybe I am paranoid, but I really, really
want Facebook to only have the information I give it, and I don't trust
WhatsApp at all. At least WhatsApp encrypts the messages.

I really hate this pattern in apps, and I wish there was some way to give it
some kind of "blank canvas" without any real contacts in it. Thankfully apps
don't lock you completely out if you don't provide contact info, yet, but I
fear it may happen soon.

------
rvanmil
I think we need more fine-grained contact permission options.

Here's what an app on iOS can read and modify (!) when you allow it to access
your contacts:
[https://developer.apple.com/documentation/contacts/contacts_...](https://developer.apple.com/documentation/contacts/contacts_constants)

~~~
jordansmithnz
First time I looked at the framework, I expected to be able to read existing
contacts, and create new contacts. I was a little surprised at editing
existing contacts.

Nothing is really stopping an app with permission switching all of your
contact numbers so they point to someone else, whether by accident, or on
purpose. It seems like something waiting to go wrong...

~~~
imaffett
Facebook did this years ago. It went through your contacts and updated any
info (pictures, phone, email) to match what they had in Facebook.

------
trdtaylor1
Signal uses the same process. When you first install, it uploads all your
contacts to 'see' which of your contacts are Signal users. It then defaults to
Signal messages to that contact. Any new Signal user on your contact list
alerts you to the fact they are now using Signal and helpfully defaults to
Signal messaging. When you uninstall, you have to remove your number from
their central DB using their web-app to prevent your friends from sending you
Signal messages you won't be able to open.

An implied "find my friend" feature that I assume Sarahah uses.

~~~
tgragnato
Signal truncates the hashed phone numbers, before sending them to the server.
The server responds with the contacts that you have in common.

~~~
StavrosK
Does it really? I suggested that exact scheme months ago, but moxie rejected
it as "not meaningfully privacy-preserving" (probably not his exact words),
IIRC.

Edit: Here: [https://github.com/WhisperSystems/Signal-
Android/issues/4726](https://github.com/WhisperSystems/Signal-
Android/issues/4726)

~~~
saurik
FWIW, it isn't just not meaningfully privacy-preserving: it offers essentially
no privacy preservation at all. There are 10 billion possible US phone
numbers, and we know from Bitcoin that you can search that space in something
like ten seconds on a typical PC. You also only have to do this once to
construct a lookup table that would only take a terabyte to store and index,
and then you could offer anyone instantaneous reverse lookup from truncated
hash to phone number. It is essentially meaningless "privacy theater".

~~~
colejohnson66
You wouldn’t even need a terabyte if you didn’t mind comparing against every
hash to find the right one. 16 bytes/number at 10 billion numbers is only 160
billion bytes (160 GB). Store the hashes one after another in a flat binary
file, then `i` in `file[16*i]` is your number.

If you included the 10 byte phone number, that only adds 100 GB. Then just
store each entry as a 26 byte hash/number struct sorted by hash.

------
McPepper
Access and hijacks are two different terms, one implies to use and the other
implies to sell customer data. What the article says that the app accesses
contacts for a future 'find your friend' feature.

What really bothers me is when the author says ' it’s possible Sarahah has
harvested hundreds of millions of names, phone numbers, and email addresses ".
I believe I remember Snapchat and other social media apps done before.

What Sarahah should have done is to communicate with their users about what
their data and how they plan their security (being an anonymous messaging
platform). But, let's not forget how Snapchat dealt with their security and
data at its rise.

------
mmagin
It's really sad that the ios/android model COULD be more secure than the
traditional desktop software model, but at the same time it has normalized all
sorts of creepy snooping behavior on the part of apps.

------
robotbikes
Facebook messenger does this as well, yet most people aren't aware of it, nor
do they consent. There definitely should be much finer grain controls over
this type of thing. Imagine how violated people would feel if they had to have
someone take pictures of their address book (back when they were physical)
just to enter the mall, yet this occurs every day and most are unaware.

------
ap46
Kind of a r/ShowerThoughts, we should maybe make an app & voluntarily fill our
Contacts app with specific human like crap values & then sync all major apps
with it thus peppering their gold-pots with waste contacts & by the time they
catch up, the damage is already done. Rinse & repeat with slightly different
values.

~~~
xenopticon
The problem is that the big companies are not interested in phone numbers and
names. The real gold are the connections - who you talk to more frequently,
who are your real friends vs. random people you added, etc.

------
nthcolumn
From the FAQ: "Is Sarahah a hacker?! Sarahah doesn't steal data but websites
and apps impersonating Sarahah could do that". Just weird. Why would a
'personal suggestion box' app need your contacts anyway apart from the
developer's own dastardly plans? It seems they are sent in the clear as well.
I think this upsets me the most. How did she expect to get away with it?

------
spacemonkey92
One of the ios App I built needed contacts permission, but it's only within
the app and never sent to my server. When I submitted it for review to Apple,
they didn't approve the app asking the reason why I was accessing the contacts
and if sending them to the server. Only if they are happy with the answer they
will approve your app.

So in a way, iOS apps are much secure than Android.

~~~
bert_
Ok, and what if you just lie in your answer?

~~~
sigzero
Nobody can do anything about that. That company ends up getting called out
just like this one did or just like Accuweather did.

------
fareesh
I simply assume they are going to upload my contact data whenever they prompt
me for the permission. Not sure how iOS does permissions these days - do they
also have runtime permissions like Android? I know that a lot of companies
here in India skip the runtime permissions system entirely and ask for them
all at install time to handle fewer edge cases in the code, and make the user
less likely to be suspicious.

~~~
lambada
iOS has had runtime permissions for far longer than android :) Some apps will
even explain what they (claim to) need the permission for before triggering
the permission authorisation pop up.

------
twsted
Wasn't it what WhatsApp did years ago?

And then Facebook acquired it and was able to complete its database of world's
relationships.

------
altotrees
This is why you should always read the terms and conditions of an app. I'm
always shocked at how many people do not take this seriously. In this age of
"data sharing" it is super important to take extra caution.

~~~
ceejayoz
That's not a solution. T&Cs are written as vaguely as possible to permit as
much flexibility as possible, and nothing stops a malicious actor from
violating their public privacy claims.

~~~
altotrees
It may not be a solution, but it's a smart thing to do and at least a step in
the right direction, no?

~~~
ceejayoz
Not really. I tend to skim T&Cs and virtually every one I've seen has language
that would probably permit this sort of behavior.

------
tobyhinloopen
"Never Attribute to Malice That Which Is Adequately Explained by Stupidity" or
something like that

~~~
friendzis
The further into the future we are, the more I start to believe inverse to be
true in general, not only in security world. For some reason in security world
a neat extra breaking security is treated as possible intentional backdoor.

Without treating mistakes, incompetencies, outright stupidities as malicious,
we grow a new generation of technologists (including me, sadly), who do not
bother to become adept in problem domain, consult with experts, perform strict
analysis, cause tons of technical debt for the sake of moving fast. Good
enough is the norm. We still see plain text, hashed without salt, hashed with
the same salt password databases leaked. Maybe it was incompetence. Maybe it
was stupidity. Maybe it was FIXME. Maybe the loaded gun was left on dinner
table near a toddler because "I'm only going to bathroom". This is rhetoric
question: can this stupidity be seen as malicious?

------
GrumpyNl
What did you expect? Its in their terms, but nobody reads them.

------
spacemanmatt
ISTR LinkedIn did this, too.

