Hackers at Rhino Security Labs figured out a way to dupe Secret's system.
To join Secret's community, the app imports your contacts. It then labels which posts are from your friends.
To prevent you from tracking a particular person, Secret requires that seven of your contacts post to the network before it labels their posts.
But here's the hack: Fill your phone's contact list with fake people and only one real contact — your target. If you control posts coming from these dummy Secret accounts, it's easy to spot when your real "friend" is posting.
"Poison the data on the outside, bring it in as trusted data, and voilà! You make the system work for you," said Bryan Seely, a Rhino researcher in Seattle.
Why does it matter? Consider these recent posts.
From someone in Tel Aviv, Israel: "I am an Arab. I live near Jerusalem. I am against war, and I believe in democracy. Hamas is bad for all Muslims! Stop Hamas! If someone found out I said that, I would be executed!"
A person in Utah: "Having an invisible illness is killing me. Literally. And I'm only 24."
And someone in Poland: "I told everyone that cat made those scars."
The security researchers notified the San Francisco startup last week, and Secret said it issued a fix immediately. Now, if you import a bunch of fake friends and only one real one, the real one won't be tagged as a "friend," Seely said. It's security through obscurity.
Secret CEO David Byttow blamed an app software update, saying the hack was "arduous," not 100% accurate and only possible for a short time.
"We're incredibly grateful to these folks for coming to us. We patched a similar issue back in May," Byttow said, adding, that the problem was fixed within 'a matter of hours.'
But consider this a reminder about a mantra in the hacker community: Nothing you do in the digital realm is truly anonymous. Eventually, it will be traced back to you.