Sarahah Uploads Contacts and Personal Information on Remote Servers

By | August 28, 2017

Sarahah is a fairly new application. However, it has become quite popular within few weeks of its launch. Why? Because Sarahah allows you to receive questions and feedbacks from friends and other people while their identity stays anonymous.

Sarahah got 18 million downloads already. This speaks a lot about its popularity. Moreover, this application is the third most downloaded free application on Apple App Store. And it is the fifth most downloaded application on Google Play Store.

Recently, there are few developments which might hamper its popularity. And if not taken care of people might stop using it altogether.

Privacy Breach?

Well, it looks like that Sarahah is doing a lot more than just getting you anonymous feedbacks and questions. Sarahah uploads your phone contacts, emails and other personal information on the remote servers as soon as you first launch the application. This is actually a nightmare on the part of application which talks about privacy.

According to Bishop Fox’s senior security analyst Zachary Julian, both Android and IOS asks for permissions before accessing contacts but at this point we are not sure where this data is uploaded.

How it was Found?

Julian found out that Sarahah was uploading his address book when he first launched the application on his Galaxy S5. Using BURP Suite; a monitoring software; he found that data was uploaded on a remote server.

Also Read: Fix Google Play Store Not Working

He found out that the application keeps on refreshing and uploading the data to the servers. If you close the application and launch it again, it will again upload the data to the servers. This was quite surprising for Julian.

However, Zain Alabdin Tawfiq; founder of Sarahah said that it is for the new feature “Find your friends”. They will soon remove it in the upcoming version of the app. He also mentioned that we are storing details in the database and there are some issues with removing this feature, our developers are working on it and we will soon roll out the new version of the application.

Drew Porter also raised his concerns about the application.

It’s no longer that you have to worry about the data on your phone, it’s that you have to worry about the data on your phone that’s somewhere else that you have no control over being compromised.

The app asks for a request on iOS devices by saying that ‘the app needs to access your contacts to show you who has an account in Sarahah’ without doing so, while in some cases, in Android, it doesn’t even specifically mention any reason.

Privacy policy of the application clearly says that we will ask for the permission if we intend to use your data. However, there is no mentioning of uploading data to the servers. Sarahah new update will soon roll out. And after the claims of privacy breach the developers are trying to roll out the new version asap. So, let’s see if this privacy breach is fixed or not.

Source: Intercept

Leave a Reply

Your email address will not be published. Required fields are marked *