The latest social media rage Sarahah might not be as safe as it claims. Apparently, the application has been quietly uploading contacts on its server from the users who downloaded it and provided access to their contacts.
The strangest thing is that this is being covered up in the name of a feature that does not exist so far. According to a report by The Intercept, the application has been uploading user contacts on its server without proper permissions to do so.
A senior security analyst, Zachary Julian installed the application on a Samsung Galaxy S5 which was running on Android 5.1.1. The analyst had specific software installed in the device that monitored the flow of data on the phone.
This flow of data indicated that Sarahah application was uploading contact information in the form of email IDs and phone numbers. The same was found on the iOS application.
He also claims that if the user does not use the application for a long time, the app resends contact information to the server.
Initially the company failed to respond, but once the report was published, the company gave a seemingly elaborate reason behind the suspicious activity. The founder of the application, Zain al-Abidin Tawfiq tweeted saying that the application asked for contact details for a new "find your friends" feature.
He further went on to explain in a tweet saying, "It was delayed due to a technical issue. The database doesn't currently host contacts and the data request will be removed on next update." According to the developer, the task of removing this feature was handed to an ex-partner who "missed that".
Requesting contact information is nothing new with Android's Play Store and iOS' App Store but usually there is a clear purpose behind the permission. Here, the app not only accessed the contact information but also uploaded content to its servers. Once uploaded on the servers, the user will have no control on the usage of those contacts.
Assuming that the company doesn't intend to misuse this information, there are still chances that the server can be hacked into and the data can be stolen and used for any purpose.
The app went viral earlier this month with over 10 million downloads on Android's Play Store alone. Considering the huge data base the application got access to, the threat of a data breach becomes even scarier.
The service can also be used without downloading the application. Much like Facebook, the website version of the app is available for anyone to use, without any apparent threat to the user's personal data.