My journey into security analysis started with YikYak, a social media app, exposing post GPS locations. I initially only was looking at YikYak to create a python package for interacting with their API but their API was exposing the locations of each post, allowing a potential bad actor to track the movements of users based on their posting activity.
As much as I’m dissapointed in the lack of security around protecting user’s data, I’m glad I discovered it because it made me start my security blog on The Response Times and help protect user data from malicious actors.
Highlights
- YikYak
- Featured in Vice & The Verge
- YikYak were exposing precise GPS coordinates accurate to within 10-15ft to everyone
- Created a cool little anonymized heatmap
- YikYak implemented some changes that somewhat improved privacy, then they were bought out
- LINK.social
- Had a hugely insecure login flow that allowed anyone to login as any other account
- The API route took a user id and returned that user’s authorization token with no other checks
- Allowed me to access all users: precise GPS location, phone number, birthday, and if they verified their identity using an ID photo
- I was given $500 as a bug bounty which was nice :)
- Luckily the app was only in beta and only had a few hundred users at the time
- Had a hugely insecure login flow that allowed anyone to login as any other account
I really enjoy doing this kind of work, although it can be frustrating at times is interesting to me and combines a lot of interests of mine. I’d like to spend more time working on this kind of analysis, but finding targets to analyze is difficult.