Hairy MitM exploit independently discovered by two security researchers

Yik Yak fixes information disclosure bug that leaked users' GPS location

‘Anonymous’ social network Yik Yak took more than three months to address vulnerabilities that meant it wasn’t anonymous at all, despite reports from two different security researchers.

Launched in 2013, Yik Yak allows users to message one another anonymously, but was shut down in 2017 after allegations of cyberbullying. It restarted last year, and currently claims around two million users.

CATCH UP Encrypted email service CTemplar announces closure

Earlier this month, Wisconsin-based computer science student David Teather revealed that he’d been able to access users’ precise locations, accurate to within 10ft to 15ft, along with user IDs, for all posts and comments made on the site.

This, he pointed out, meant that, particularly in rural areas, it could be possible to locate a user’s home address, potentially for the purposes of theft or stalking.

The researcher was able to do this by intercepting HTTP requests from the client using the open source Mitmproxy tool. This, he says, was “fairly trivial to do”.

Duplicate findings

Teather submitted his findings to Yik Yak on April 11, not knowing that another researcher, Mika Melikyan, had reported the same problem months earlier.

“We discovered similar issues, but Mika dug deeper than myself and was able to become an admin on the Yik Yak database,” Teather tells The Daily Swig.

“I was not aware of his work, but he reported his issues to Yik Yak in February.”

Read more of the latest hacking news from around the world

Melikyan says his February 1 report focused on the GPS data breach.

“However, more vulnerabilities were discovered, such as: any user could escalate their privileges and become an admin, any user could modify or delete arbitrary posts on the timeline, any user could modify the ‘upvote’ count on arbitrary posts,” he tells The Daily Swig.

“This meant that an attacker could alter any post to have thousands of upvotes. This is dangerous because it can be used as a tool to artificially generate social acceptance. Imagine, right before elections, an anonymous post was made that praised a presidential candidate and altered to have 100,000 upvotes.”

Under-the-hood changes

With the two researchers reporting independently, Yik Yak made changes on May 8 that resulted in the app no longer returning user IDs to the client. On May 18, it went further, reducing the accuracy of GPS location, as well as the distance between users.

However, says Melikyan, “there were multiple Yik Yak app updates between February 1 and May, none of which addressed the vulnerabilities. Developers were fully aware of it, and they did not prioritize it.”

We’ve contacted Yik Yak for a response, and will update if we receive a reply.

YOU MIGHT ALSO LIKE WordPress theme Jupiter patches critical privilege escalation flaw