Popular Anonymous Honesty App Sarahah Is Riddled with Security Issues
Popular feedback app, Sarahah, is surrounded by controversy again, this time for security issues. A secrurity researcher has revealed that the web version of the anonymous compliments app is rife with security flaws.
Security researcher Scott Helme has said that the flaws in the Sarahah website make it vulnerable to attacks. While identifying a number of security problems, Helme said that it is also “fairly trivial to bypass” the app’s Cross-Site Request Forgery (CSRF) protections.
“The app does deploy native CSRF protection but it turns out that in a lot (almost all) circumstances it’s fairly trivial to bypass. Endpoints like /Messages/FavoriteAjax and /Messages/DeleteAjax can be called as GET requests instead of POST requests and only require the id parameter in most cases. This makes it pretty trivial to craft a link to send to someone or launch a CSRF attack from any page you can get the victim to visit.”
In his testing, he found that attackers could exploit this flaw to favorite specific posts by predicting the sequential message ID and crafting a CSRF attack to favorite it on the user’s behalf “so it’s nice and prominent in her account”.
Another functionality issue that Helme reported is to do with rate limiting on the app. He managed to send over “several hundred abusive messages” that the recipient would then have to sit and delete one by one.
Issues identified by Helme:
- Sequential ID numbers
- Bypassing CSRF protection
- XSS vulnerability
- Filtering problems
- No rate limiting
- Password reset
- Account lock out
- Security headers
- Switching to HTTP
- And of course, failure to patch flaws
The third issue that he pointed out was how a user can log someone else out of their account simply by requesting a password reset. Apparently, the app locks you out for an unset duration of time after 10 failed login attempts. Helme said that it’s fairly easy to change the password of someone else’s account, which means “I can change your password and then lock you out of your account too,” he added.
Sarahah also lacks a bulk delete function, forcing the victim to individually read and delete every harassing message even if they come in quick succession and they know there would be nothing good in there.
Sarahah needs to be more responsible and transparent
After sharing a long list of bad security practices, Helme said that he’d like the app developers to be more transparent about how the app and data is secured.
“I’d like to see Sarahah provide information on how messages are protected during transmission and storage. A huge range of apps like WhatsApp, Facebook Messenger and Signal have put a massive focus on end-to-end (E2E) encryption and the privacy of their users, what steps are Sarahah taking? Can they read our messages? If they were breached could a hacker read our messages? Their lack of 2FA or 2SV is also an obvious opportunity for them to improve and better protect their users.”
After trying to advise Sarahah of these issues through email, Twitter and Facebook and failing to get any serious response, Helme has now published the details online. “As we’ve seen in the past it’s very common for anonymous messaging services and platforms to be used for abuse and bullying,” Helme wrote.
“Given the nature of the service and the young demographic of their users I would have hoped the company was responsive and engaged in the disclosure process but I feel it was almost the opposite.”
This isn’t the first time that Sarahah has made the news headlines due to security issues. Back in August, it was discovered that the app was uploading entire contacts list of its users for a “future” feature that never launched and without user consent. The app developer, Zain Al-Abidin Tawfiq, had said at the time that “the data request will be removed on next update”.
The “honest feedback” app is at the number one spot in the App Store and in more than 10 countries on the Play Store too. The security researcher said that “an app of this nature should be very security and privacy focused” not only because of its immense popularity but also because of the sensitivity of messages sent and the anonymity that it offers to the sender.