A report by security company SilverSky Labs revealed a security issue in the iOS version of anonymous messaging app Yik Yak, which lets hackers take over a user’s account as long as they are on the same WiFi network.
This is often easy because Yik Yak “is a location based app that is extremely popular in universities” making it “very likely that multiple users will share the same network”, according to the report, written by a security research intern at SilverSky Labs Sanford Moskowitz.
In fact, it is used at around 1,500 colleges, according to the Wall Street Journal. The maker of the app secured $62 million in funding last month, giving it a valuation of between $300 million and $400 million.
If the WiFi condition is met, all an attacker needs is a network card and a packet analyser such as Wireshark.
What makes the app particularly vulnerable is that in order to log in to a Yik Yak account, all that is needed is a user ID, as there is no password. “If you can find their ID, you have completely compromised the user and you’ll be able to view all their ‘private’ posts,” the report explains.
The second issue is that although this user ID is encrypted using HTTP Secure, the app makes calls to Flurry, a third party analytics tool, which disables HTTPS. This means the user ID is leaked to anyone who is watching network traffic from the same WiFi network as the compromised user.
This is not the first time the app has come under scrutiny. Because it lets users post messages anonymously, it has been criticised for its potential to enable cyber-bullying. Although the company has tried to restrict the app’s use through geo-fencing around school campuses, it has only had partial success.
What’s more, a similar security problem has already been reported for the Android version of the app but so far it has not been dealt with.