Internet Security Blog - Hackology

Sarahah App stealing your contact information

I never liked the concept of Sarahah but its famous and everyone is crazy about it. I just used it in a sandbox environment and never thought I would post about this privacy flaw but recently my timeline is filled with people who have been sharing their Sarahah profiles to get some honest queries by their stalkers (hmm)

Sarahah Uploads all your contacts to their Servers

If you have been using Sarahah Appyour Contacts(Names,Numbers and Emails) have been uploaded to Sarahah server and no one knows why.

Zachary Julian, a senior security analyst at Bishop Fox, discovered the intrusive behavior when he installed the social media app on his Android 5.1.1. He used Burp Suite to see what data was entering and leaving his phone.

Once I logged in I noticed what I’ve come to expect—authentication requests to receive messages, profile info” Julian mentioned . “Immediately after that—a couple seconds after logging in—it made two separate HTTP requests, one for all of your device’s phone contacts and all of your device’s emails.

Sarahah CEO responded while saying the contact lists were uploaded for an upcoming “find your friends” feature that was delayed due to technical issues. He claims the Sarahah servers do not currently host contacts and that the data request will be removed on the next update.

Sarahah is Malicious ?

Who knows, but the fact that they have been uploading your contacts while there is NO utility of the same inside the app means there is something off – if you look at the public metrics of downloads for the app you will be able out that hundreds of millions of contacts numbers with names have been uploaded to their servers

[PoC] Sarahah Uploading Contacts

If in future there is any utility of these uploaded user private data as CEO Sarahah has mentioned that they are uploading the contacts to see if any of your friends are also using the same app , but its only his word against the fact that they are harvesting user information and stealing our contacts for no reason.

Sarahah, the anonymous messaging app that has exploded in popularity over the last few months, has been uploading users’ phone contacts to its company servers for no apparent reason as others were happy getting some real honest thoughts

be safe

Add comment

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Get Wise

Subscribe to my newsletter to get latest InfoSec / Hacking News (1 Email/week)
Utopia p2p Ecosystem

Discover more from Internet Security Blog - Hackology

Subscribe now to keep reading and get access to the full archive.

Continue reading