![]() Yik Yak, like many apps, does not only communicate with its own server API. If you can find their ID, you have completely compromised the user and you'll be able to view all their "private" posts. You can login to anyone's account with just their userID. The vulnerability begins in the fact that Yik Yak's sole means of user identification is one string the userID. An attacker will NOT be able to view the communication between the app and the server. Yik Yak's HTTPS communication for iOS is actually fine (Android, not so much, more on this later). In general terms, this means that someone monitoring the traffic between the server and app won't be able to steal any data. An application that successfully implements HTTPS communication is generally considered to be safe against man-in-the-middle attacks. The standard way to do this is by using HTTP Secure aka which is built on top of SSL/TLS. ![]() Finally, we conclude with a little treat for Android users.Īpplications that deal with sensitive information should encrypt this info before sending it across the Internets. As a location based app that is extremely popular in universities, it is very likely that multiple users will share the same network. The only requirement is that both the attacker and target are on the same WiFi network. Then, we show exactly how the vulnerability can be exploited to take complete control over a user's account. First, we discuss the vulnerability and its implications. In this paper, we present a new vulnerability in the Yik Yak iOS application. ![]() The app bills itself as a place to "share your thoughts with people around you while keeping your privacy." It should be evident that the company must take necessary precautions to prevent users' posts from being exposed by a malicious attacker. Due to the anonymous nature of the app, users often post private, personal (or just plain stupid) thoughts that they would never reveal to offline friends. Often landing a top 10 spot in the iOS App Store, this app has become increasingly popular with high school and college students. Yik Yak is an anonymous, controversial social media application that allows people to make posts that are visible to other users within ~2 miles.
0 Comments
Leave a Reply. |