The Sarahah app exposed sends all contacts and email addresses stored on a user’s phone to the company’s servers without seeking proper permissions. As per creator Zain al-Abidin Tawfiq, the feature was supposed to be disabled by a former partner and was put in place for an upcoming ‘find your friends’ feature.
The Sarahah app has recorded millions of downloads on the Google Play Store and the Apple App Store combined. According to Julian, the app that plays on getting users “honest feedback” from their friends, quietly harvests and uploads its user’s phone contacts to the company’s servers.These include all phone numbers and email addresses stored in your device’s address books.
While Sarahah does ask for permission to access a user’s contacts, it does not specify that the same are being uploaded and stored on its servers. Julian, a senior security analyst at Bishop Fox, installed the Sarahah app on a Galaxy S5 running Android 5.1.1. The device was running a security monitoring software called BURP Suite, which allowed him to see data from his phone being sent to remote servers. On installing and running Sarahah, Julian discovered that the app was sending his personal contacts data to the company’s servers without proper permissions.
The transfer of user contacts and emails to the Sarahah servers is not limited to the Android OS and the same also occurs on iOS devices after the app procures permissions to “access contacts.” As per Julian’s testing the if users don’t access the Sarahah app for a few days, it pushes contacts data all over again when rebooted. When Julian tried rebooted the app after a gap on two days, all his contacts were pushed to the Sarahah servers again.
After this security flaw was discovered, Sarahah creator, Zain al-Abidin Tawfiq tweeted that the contact storing behaviour will be removed from the app in future updates and was put in place for a “find your friends feature.” He also told The Intercept that the feature was supposed to be removed by a partner who he has stopped working with, but the partner somehow “missed that.” Tawfiq went on to claim that the function of storing contacts was removed from the servers and that Sarahah servers no longer store any contacts, but his claim is unverified as security researchers cannot possibly know what happens at the server end of the app.
“Sarahah has between 10 and 50 million installs on just the Play Store alone for Android, so if you extrapolate that number, it could easily get into hundreds of millions of phone numbers and email addresses that they’ve harvested,” Julian said.
You can view some of Julian’s tests of the Sarahah app in the video below