The web-based version of anonymous feedback app Sarahah is riddled with security flaws, according to a researcher.
Sarahah is a well established mobile app that allows people to receive anonymous feedback messages from friends and co-workers. Flaws in the technology make it vulnerable to web-based attacks including cross-site scripting and CSRF, according to security researcher Scott Helme.
Helme found that it was “trivially easy” to bypass Cross-Site Request Forgery (CSRF) protection in the app. CSRF is a class of attack that forces an end user to execute unwanted actions on a web application.
Ask.fm, another technology popular with teenagers, became a platform for insults and flaming, partly because of the ability to send anonymous messages brought out the worst in people.
The Sarahah app does seem to have some rudimentary filtering in place to prevent abuse of other members but it doesn’t include rate limiting. This omission meant Helme was able to anonymously send hundreds of messages to a test account.
Helme told El Reg that Sarahah exhibited numerous flaws he was surprised to find in a mature web app.
“My biggest worry is that this is a brand new application and the issues were not difficult to find at all,” Helme explained. “They are basic issues I wouldn't expect to find in a new app and as a result I'm concerned the app hasn't undergone any security testing prior to release. If it has then I'd be raising some very serious questions with the firm that did the testing as to why such fundamental flaws were missed.”
In response to queries from El Reg, Sarahah acknowledged Helme's research had uncovered flaws in its technology. “We have passed the items to our developer and doing our best to solve the issues,” it said.
Sarahah is the number one app on Apple’s App Store and is number one in more than 10 countries on Google Play too.
Helme first reported issues a few months ago, in early August. He expressed frustration about the slow response.
“An app of this nature should be very security and privacy focused,” he explained. “I was disappointed at how difficult it was to contact the firm to responsibly disclose these issues that affect their users and how poor the response and handling was once I made contact.” ®
Sponsored: Webcast: Ransomware has gone nuclear