In 2012, a team of developers created the Whisper app to help its prospective users exchange ideas, advice, feelings, and thoughts without revealing their true identities. Now, Matthew Porter and Dan Ehrlich - security analysts at Twelve Security - have uncovered a significant flaw in Whisper. The flaw allowed them to gain password-free access to a database containing more than 900 million posts. The database also revealed the stated age, gender, nickname, hometown, and religious beliefs of the people who published each one of them. Given the nature of some of the messages, the personal data associated with those is sufficient enough to 'unmask or blackmail' the people who wrote them.
Whisper's Team Shifts the Blame Onto Users
Whisper's camp said it was the users’ prerogative to decide what ‘to share or not share’ as it was a feature of the app itself. Although the database is no longer exposed, it had remained unprotected for years. The entire database may have already been downloaded by anyone who wanted to do so. Any hacker who already has a copy might potentially use the data against any Whisper user who happens to have created more sensitive posts.
Whisper's users have the right to reveal one or more of their details — nickname, age, gender, location, or ethnicity. Yet, the app's database should be immune to external attacks due to the underlying privacy risk.
Some Comments Came From Youths, and Others Revealed Military Locations
The database records contain a considerable number of posts associated with underage users. For example, there were nearly 1.3 million posts created by 15-year-olds alone. What is more, that number may be much higher when taking into account all the other adolescents.
Apart from children, Whisper appears to have gained popularity with the military, as well. It seems, however, that hundreds of army recruits have left their location visible when posting on Whisper. As a result of this misstep, any hacker could determine the exact location of hundreds of military bases around the globe with a high degree of certainty.
When it comes to geo-tracking, history may be repeating itself. In 2014, Whisper got accused of tracking their users' locations even if some of those users had unequivocally disabled this feature. Back then, Whisper's team refuted these allegations. However, they admitted that they could occasionally use GPS to examine the location of a user if he or she appeared to be newsworthy matters of substance.