Sarahah app exposed for quietly uploading users’ contacts to company servers without proper permissions

The anonymous messaging app Sarahah has been uploading your phone’s contacts to the company’s servers without your knowledge or permission. The security loophole was first discovered by analyst Zachary Julian and The Intercept was the first publication to report the same. The harvesting of a user’s contacts is a big setback for users of the Sarahah app and opens them up to multiple security risks. Sarahah’s privacy policy states that it will not sell user data to third parties unless it is part of bulk data used for statistics and research.

The Sarahah app has recorded millions of downloads on the Google Play Store and the Apple App Store combined. According to Julian, the app that plays on getting users “honest feedback” from their friends, quietly harvests and uploads its user’s phone contacts to the company’s servers.These include all phone numbers and email addresses stored in your device’s address books.

While Sarahah does ask for permission to access a user’s contacts, it does not specify that the same are being uploaded and stored on its servers. Julian, a senior security analyst at Bishop Fox, installed the Sarahah app on a Galaxy S5 running Android 5.1.1. The device was running a security monitoring software called BURP Suite, which allowed him to see data from his phone being sent to remote servers. On installing and running Sarahah, Julian discovered that the app was sending his personal contacts data to the company’s servers without proper permissions.


Leave a Reply

Your email address will not be published. Required fields are marked *

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong>

More in Technology