Monday, October 7, 2024
HomeData BreachBeware : Sarahah App Secretly Spying Your Mobile and Steal Your Email...

Beware : Sarahah App Secretly Spying Your Mobile and Steal Your Email & Contact List

Published on

Most Trending Mobile Application “Sarahah” Secretly Spying users Mobile and uploading their contacts list into sarahah database.

It uses to receive feedback from friends and employees which have impressed more than 15 million users around the globe based on downloads from both Apple and Google Play Store.

Its Privacy Policy says “We didn’t design this website to collect your personal data” but This App didn’t follow the Promise and collecting more information along with Feedback.

we GBHackers On Security  also have Investigated with our Lab Enviroment  and we have Found another information that, it transfers the Login Credentials in Plain Text Apart from Contacts Information that has been Discovered by bishopfox Senior Security Analyst Zach Julian.
- Advertisement - EHA

How Does Sarahah Spying & Stealing the Personal Information

Once it installed into users mobile, sarahah will attempt to send all the phone and Email contact to sarahah server.

According to we GBHackers Investigation, Sarahah’s Transfering Credentails in Plan Text which is Potentially Vulnerable to Man-in-the-Middle Attack (MITM) that alow attackers to Steal the Credentials when Data in transit.
sarahah

Credentials in Plaintext

This upload process happens with both android and iOS, many old version of mobiles infected more than newly updated version.

Especially, Android 6.0 + version used to force the users to Manually allow the permission for the access. But earlier version doesn’t have the further prompt about accessing contacts beyond the Play Store permissions.

sarahah

Device Contact access permission

Once you Installed the Sarahah App, immediately it will access your Mobile and Email contacts and uploaded to the sarahah Database. Around 54% of users still using Android 5.0 which show prompts to access contact information.

sarahah

Email & Mobile Contact Information

We could see in the Below image that, User Phone number transferring into Sarah Database which is intercepted through Burp Suite.

sarahah

Uploaded Phone Contacts

Below Image shows the information about the Stealing Email Contacts details from the User.

sarahah

Uploaded Email Contacts

Above 6.0 version Manually asking Permission to access the user contacts information. It immediately uploads the contact information to their database once user allowed to access the contacts information.

According to bishopfox Senior Security Analyst Zach Julian Research,Extrapolating this by 10 to 50 million users on Android alone means it’s possible Sarahah has harvested hundreds of millions of names, phone numbers, and email addresses from their users. Overall, Sarahah does not provide enough information for users to make an informed decision whether using the application is worth sharing this sensitive data.

Also, it gathers information about the Device Location, country Location, Geolocation as like other apps.

sarahah

Location Information

Since this Application has been installed more than 10 Million users, almost Millions of sensitive information stolen from installed users. but the company has said, “the Sarahah database doesn’t currently hold a single contact”.

Balaji
Balaji
BALAJI is an Ex-Security Researcher (Threat Research Labs) at Comodo Cybersecurity. Editor-in-Chief & Co-Founder - Cyber Security News & GBHackers On Security.

Latest articles

Hybrid Analysis Utilizes Criminal IP’s Robust Domain Data for Better Malware Detection

Criminal IP, a renowned Cyber Threat Intelligence (CTI) search engine developed by AI SPERA,...

RCE Vulnerability (CVE-2024-30052) Allow Attackers To Exploit Visual Studio via Dump Files

The researcher investigated the potential security risks associated with debugging dump files in Visual...

Cacti Network Monitoring Tool Vulnerability Let Attackers Execute Remote Code

A critical security vulnerability has been identified in the Cacti network monitoring tool that...

Microsoft & DOJ Dismantles Hundreds of Websites Used by Russian Hackers

Microsoft and the U.S. Department of Justice (DOJ) have disrupted the operations of Star...

Free Webinar

Protect Websites & APIs from Malware Attack

Malware targeting customer-facing websites and API applications poses significant risks, including compliance violations, defacements, and even blacklisting.

Join us for an insightful webinar featuring Vivek Gopalan, VP of Products at Indusface, as he shares effective strategies for safeguarding websites and APIs against malware.

Discussion points

Scan DOM, internal links, and JavaScript libraries for hidden malware.
Detect website defacements in real time.
Protect your brand by monitoring for potential blacklisting.
Prevent malware from infiltrating your server and cloud infrastructure.

More like this

Northern Ireland Police to Pay £750,000 Fine Following Data Breach

The Police Service of Northern Ireland (PSNI) has been ordered to pay a £750,000...

Google Warns Of North Korean IT Workers Have Infiltrated The U.S. Workforce

North Korean IT workers, disguised as non-North Koreans, infiltrate various industries to generate revenue...

MC2 Data leak Exposes 100 million+ US Citizens Data

Researchers have uncovered a massive data breach at MC2 Data, a prominent background check...