Most Trending Mobile Application “Sarahah” Secretly Spying users Mobile and uploading their contacts list into sarahah database.
It uses to receive feedback from friends and employees which have impressed more than 15 million users around the globe based on downloads from both Apple and Google Play Store.
Its Privacy Policy says “We didn’t design this website to collect your personal data” but This App didn’t follow the Promise and collecting more information along with Feedback.
we GBHackers On Security also have Investigated with our Lab Enviroment and we have Found another information that, it transfers the Login Credentials in Plain Text Apart from Contacts Information that has been Discovered by bishopfox Senior Security Analyst Zach Julian.
How Does Sarahah Spying & Stealing the Personal Information
Once it installed into users mobile, sarahah will attempt to send all the phone and Email contact to sarahah server.
According to we GBHackers Investigation, Sarahah’s Transfering Credentails in Plan Text which is Potentially Vulnerable to Man-in-the-Middle Attack (MITM) that alow attackers to Steal the Credentials when Data in transit.
Credentials in Plaintext
This upload process happens with both android and iOS, many old version of mobiles infected more than newly updated version.
Especially, Android 6.0 + version used to force the users to Manually allow the permission for the access. But earlier version doesn’t have the further prompt about accessing contacts beyond the Play Store permissions.
Device Contact access permission
Once you Installed the Sarahah App, immediately it will access your Mobile and Email contacts and uploaded to the sarahah Database. Around 54% of users still using Android 5.0 which show prompts to access contact information.
Email & Mobile Contact Information
We could see in the Below image that, User Phone number transferring into Sarah Database which is intercepted through Burp Suite.
Uploaded Phone Contacts
Below Image shows the information about the Stealing Email Contacts details from the User.
Uploaded Email Contacts
Above 6.0 version Manually asking Permission to access the user contacts information. It immediately uploads the contact information to their database once user allowed to access the contacts information.
According to bishopfox Senior Security Analyst Zach Julian Research,Extrapolating this by 10 to 50 million users on Android alone means it’s possible Sarahah has harvested hundreds of millions of names, phone numbers, and email addresses from their users. Overall, Sarahah does not provide enough information for users to make an informed decision whether using the application is worth sharing this sensitive data.
Also, it gathers information about the Device Location, country Location, Geolocation as like other apps.
Location Information
Since this Application has been installed more than 10 Million users, almost Millions of sensitive information stolen from installed users. but the company has said, “the Sarahah database doesn’t currently hold a single contact”.