‘Honesty app’ Sarahah is dishonest, as it uploads your phone contacts to the server

-
Sarahah, the anonymous feedback messaging app, is all over the place. Be it Facebook, Twitter, Instagram or Snapchat, everyone is talking about the app for the last couple of weeks.

For those unaware, 'Sarahah' - meaning 'honesty' in Arabic, is an app that allows users to send anonymous messages to others with the app. Created by Saudi Arabian developer Zain al-Abidin Tawfiq, the app is aimed to help people identify their strengths and weaknesses. However, users have no way of knowing who sent the message or how to reply to them. The app is available in two languages, English and Arabic, for iOS and Android users.

"Sarahah helps you in discovering your strengths and areas by taking the right idea from your employees and your friends in a private manner", the app description explains.

However, it now appears that the app is collecting more than just feedback messages. Apparently, the app is uploading users' phone numbers and email addresses in the company's book to the company's servers, which was spotted by Zachary Julian, a senior security analyst at Bishop Fox when he installed the app on his Android smartphone, a Galaxy S5 running Android 5.1.1.

Zain al-Abidin Tawfiq responded by tweeting that "for a planned 'find your friends' feature." However, the removal of the functionality was "delayed due to a technical issue. "He now claims that the functionality is removed from the server and the data request will be removed in a future release. He also tweeted that Sarahah currently stores no contacts in its databases, which is impossible to verify.
Julian discovered the behaviour of Sarahah using BURP Suite, a traffic analyzer, which intercepts internet traffic entering and leaving the device, allowing the owner to see what data is sent to remote servers. When Julian launched Sarahah on the device, BURP Suite caught the app in the uploading of his private data.

"As soon as you log into the application, it transmits all the email and phone contacts stored on the Android operating system," he said. The same occurrence was later determined on Apple's iOS, although after a prompt to "access contacts", which also appears in newer versions of Android.

The above occurrence clears that the app is somewhere interested in your contacts. For instance, on iOS, the app says "the app needs access to Sarahah," and allows the user to choose between "Okay" and "Do not allow." On the other hand , in some cases on Android, the app requests access to contacts without needing such access, while in other cases it makes no such request. On both iOS and Android, there is no mention of data being uploaded to a server.

"The privacy policy specifically states that if it plans to use your data, it'll ask for your consent," Julian said. "While the app's entry in Google's Play Store does indicate the app will access contacts, that's not" enough consent "to justify" sending all of those contacts over without any kind of specific notification, "he added. On the other hand, the app on iOS platform claims to use contact information in the user's address book to show them their list of friends using Sarahah, reveals the testing done by Julian.

Even though the app's privacy policy states that, "We will never sell the data you without a third party without your prior and written consent unless it is a bulk of data used for statistics and research and it won ' t contain any data to identify you, "it is not clear as to what Sarah uses uploaded contact lists for.

For those who really want to use Sarahah and are concerned about their privacy can take comfort from the fact that they do not need to download the app to use the service. You can replace yourself on Sarah via a website after which you will be allowed to send and receive messages. The site does not ask for or require access to your contacts in the digital address books for you to use Sarahah.

Comments

Post a Comment

Popular posts from this blog

Install android studio on the parrot os

-
Image
parrot OS is based on Linux environment so we have to download Linux version of android studio. if you want Linux version android studio just click here . after the download is completed you will get the zip file of the android studio. so you need to unzip it first. then you can see several files within the unzipped folder. figure 1 represents the sample output. Figure 1 then go to bin folder which is stored in the unzipped folder. after opening the bin folder, you can see studio.sh shell script. if you execute that, the android studio will be running on your PC's.  Note:- you have to give execute permission to studio.sh for the current user before you execute studio.sh script. (sudo chmod u+x studio.sh) Figure 2 but we will be doing like this. it's annoying, so now we are going to the terminal command that is helped to us to access android studio by using terminal commands.  move your unzipped file to "/root" from Downloads. then go to "/usr
Read more

How to do simple brute force attack with burp suite

-
Image
What is brute force attack? brute force is a kind of password based attack. normally attacker checks each and every possible combination until reaching the expected output. so an attacker should check the huge amount of data but the normal human cannot do this kind of things. that's why we must move on some predefine tools to do this kind of attacks. work through this is the sample login page. we are going to attack this page and get the login credentials.(note: this is a basic login form it does not have any prevention mechanism for brute force attack.) let's try any value on this form and capture the data packet for analyzing. after analyzed we can say these data packets have username and password, which we entered previously. so we have to forward this data packet to intruder tab (right click and select intruder option). now  go to the intruder and mark the target variables which are carrying username and password. The below figure shows that. Note:
Read more

PoC video of How to Hack Gmail and Bitcoin Wallet using SS7 flaw

-
Image
A long time ago we published a report about how someone can hack WhatsApp with the SS7 by default. The standard SS7 exists for eons now with corrections, but GSM and telecom companies do not bother or trouble to repair their infrastructure against the standard. Now a Cyber ​​Security Company called Positive Technologies has released a video detail as anyone in any Gmail account can hack with a name and a phone number with the standard SS7. After the abduction of the Gmail account of the victim, the investigators then tried to steal a Bitcoin wallet with the same SS7 defect. Positive researchers sent their video to Thomas Fox-Brewster, an investigating reporter for Forbes, as well as details about hacking. What is the SS7 error? The vulnerability is found in the signaling system 7 or SS7, the technology used by telecommunication operators where the high-security message system and telephone calls depend. SS7 is a set of telephone signaling protocols developed in 1975 that make i
Read more