Dr-HackI never liked the concept of Sarahah but its famous and everyone is crazy about it. I just used it in a sandbox environment and never thought I would post about this privacy flaw but recently my timeline is filled with people who have been sharing their Sarahah profiles to get some honest queries by their stalkers (hmm)
Sarahah Uploads all your contacts to their Servers
If you have been using Sarahah App, your Contacts(Names,Numbers and Emails) have been uploaded to Sarahah server and no one knows why.
Zachary Julian, a senior security analyst at Bishop Fox, discovered the intrusive behavior when he installed the social media app on his Android 5.1.1. He used Burp Suite to see what data was entering and leaving his phone.
“Once I logged in I noticed what I’ve come to expect—authentication requests to receive messages, profile info” Julian mentioned . “Immediately after that—a couple seconds after logging in—it made two separate HTTP requests, one for all of your device’s phone contacts and all of your device’s emails.”
Sarahah App asked for contacts for a planned "find your friends" feature
— زين العابدين توفيق (@ZainAlabdin878) August 27, 2017
Sarahah CEO responded while saying the contact lists were uploaded for an upcoming “find your friends” feature that was delayed due to technical issues. He claims the Sarahah servers do not currently host contacts and that the data request will be removed on the next update.
Sarahah is Malicious ?
Who knows, but the fact that they have been uploading your contacts while there is NO utility of the same inside the app means there is something off – if you look at the public metrics of downloads for the app you will be able out that hundreds of millions of contacts numbers with names have been uploaded to their servers
[PoC] Sarahah Uploading Contacts
If in future there is any utility of these uploaded user private data as CEO Sarahah has mentioned that they are uploading the contacts to see if any of your friends are also using the same app , but its only his word against the fact that they are harvesting user information and stealing our contacts for no reason.
Sarahah, the anonymous messaging app that has exploded in popularity over the last few months, has been uploading users’ phone contacts to its company servers for no apparent reason as others were happy getting some real honest thoughts
be safe
Abdul Raziq
Add comment