Whisper, an anonymous secret-sharing app, failed to keep messages or profiles private

Millions of users’ private profiles and highly sensitive datasets were viewable online.
Written by Charlie Osborne, Contributing Writer

Whisper is a secret-sharing app where you can post anonymous messages, but security failures ensured user content and profiles were available for anyone online to view. 

The inadvertent data exposure was caused by an open database with no credentials or password protection in place, as reported by the Washington Post

See also: Chinese hackers use decade-old Bisonal Trojan in cyberespionage campaigns

Independent researchers Matthew Porter and Dan Ehrlich came across the data treasure trove, which contained approximately 900 million records spanning back from the app's launch in 2012 to the present day. 

While the records did not include user names, it included nicknames, stated ages, ethnicities, genders, hometowns, group memberships -- some of which are sexual in nature -- and location data tied to posts. 

The location information included coordinates from the last post a user has submitted, "which pointed back to specific schools, workplaces, and residential neighborhoods," according to the publication. 

CNET: Clearview AI facial recognition app maker sued by Vermont

Once alerted to the open database, on Monday, Whisper restricted access and plugged the authentication security gap. Federal law enforcement agencies have also been notified. 

The secret-sharing app said in a statement that the database was "not designed to be queried directly"; instead, the information contained within was only intended to be public for users within the application. 

Whisper came under fire in 2014 after The Guardian revealed how users' locations were being tracked, even if options to disable location monitoring were selected. At the time, over 2.6 million messages were being posted on a daily basis. 

TechRepublic: Cyberattackers are delivering malware by using links from whitelisted sites

Last year, Pen Test Partners researchers found that four dating and sexual encounter mobile apps -- 3Fun, Grindr, Romeo, and Recon -- were leaking the precise location coordinates of users. While 3Fun had some of the "worst security for any dating app we've ever seen," according to the researchers, the remaining three were vulnerable to GPS location exposure through GPS spoofing and trilateration tools. 

10 worst hacks and data breaches of 2019 (in pictures)

Previous and related coverage

Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0

Editorial standards