If you were a college student a few years ago, chances are you’ve heard of — and possibly used — Yik Yak, an anonymous bulletin board app that displayed a stream of messages from from a specific location.
The app, launched in 2013, was later shut down in 2017 after users pointed out that it could be used to anonymously bully and harass people, among other bad things. Yik Yak made a strong comeback, but the fundamental issues remained.
But it turns out Yik Yak wasn’t so anonymous after all, according to a researcher speaking to Motherboard.
Yik Yak Privacy Breach
Computer science student David Teather built a pretty ingenious way to test Yik Yak’s privacy knowledge and found the app to be grossly lacking.
Using the open source tool mitmproxy, Teather intercepted data to and from Yik Yak by impersonating the app itself. Each post on the service contains an exact GPS coordinate and a unique identifier (such as nrCi213RA3SncY6mVLZzuGUIJ2T2), both of which can be used to anonymize Yik Yak users.
In his own blog post, Teather goes into much more detail about how and why Yik Yak was doing this, leaving around two million remaining users at risk.
A silent update
“I disclosed what I found to the YikYak team on April 11, 2022,” Teather said. “Almost a month later, on May 8, 2022 (1 day before the public disclosure date), they responded by removing the returned user id for posts and comments, but that’s not enough to protect privacy because it is trivial to retrieve this information.”
But not much happened until Yik Yak released version 1.4.3 around May 11, which brought some slight tweaks, which mainly meant that the GPS location data was less accurate.
I found out that @YikYakApp exposes millions of user locations by sending precise GPS coordinates of all posts and comments (accurate within 10-15ft) to the app, these can be harvested by malicious actors to track user locations. https://t .co/pgT809okv7May 9, 2022
While this is almost certainly a positive change, Teather found that it was still possible, albeit slightly more difficult, to extract precise location data.
Yik Yak did not respond to multiple requests for comment from Motherboard.