Sarahah, the popular anonymous messaging app, is secretly upload all email addresses and phone numbers in the address book to their servers, according to a report on The Intercept. The report is quoting Zachary Julian, a senior security analyst at Bishop Fox, who made the discovery when he installed the Sarahah app on his smartphone. The app developer has also accepted this feature is true.
Julian’s phone has something called BURP Suite, a software that “which intercepts internet traffic entering and leaving the device,” and this spotted that Sarahah was uploading his private data. According to the researcher, the app “transmits all of email and phone contacts stored on Android.” Interestingly Sarahah appears to be doing the same on iOS as well. The researcher has also shard video showcasing exactly how the app continues to violate user privacy. The video is available on Vimeo.
First Sarahah didn’t reply to this report. Later creator of the app, Zain al-Abidin Tawfiq said that this feature, where the app was uploading the entire contact detail to the servers would be removed in a later update. He also tweeted saying the feature was supposed to help in an upcoming update to the app, which would let users find their friends on the app. That’s hard to believe given the app is built around anonymity and finding friends on it would be counter-productive. Check out his tweets below
While the developer insists this is a technical issue, which was to be removed from the app, it does raise questions around privacy and how the app is treating user data. Also the researcher has shown, if the app is not used for sometime, it again re-uploads the contact, so clearly this is a feature that was known by the developer.