Monday, February 10, 2025
HomeData BreachBeware : Sarahah App Secretly Spying Your Mobile and Steal Your Email...

Beware : Sarahah App Secretly Spying Your Mobile and Steal Your Email & Contact List

Published on

SIEM as a Service

Follow Us on Google News

Most Trending Mobile Application “Sarahah” Secretly Spying users Mobile and uploading their contacts list into sarahah database.

It uses to receive feedback from friends and employees which have impressed more than 15 million users around the globe based on downloads from both Apple and Google Play Store.

Its Privacy Policy says “We didn’t design this website to collect your personal data” but This App didn’t follow the Promise and collecting more information along with Feedback.

we GBHackers On Security  also have Investigated with our Lab Enviroment  and we have Found another information that, it transfers the Login Credentials in Plain Text Apart from Contacts Information that has been Discovered by bishopfox Senior Security Analyst Zach Julian.

How Does Sarahah Spying & Stealing the Personal Information

Once it installed into users mobile, sarahah will attempt to send all the phone and Email contact to sarahah server.

According to we GBHackers Investigation, Sarahah’s Transfering Credentails in Plan Text which is Potentially Vulnerable to Man-in-the-Middle Attack (MITM) that alow attackers to Steal the Credentials when Data in transit.
sarahah

Credentials in Plaintext

This upload process happens with both android and iOS, many old version of mobiles infected more than newly updated version.

Especially, Android 6.0 + version used to force the users to Manually allow the permission for the access. But earlier version doesn’t have the further prompt about accessing contacts beyond the Play Store permissions.

sarahah

Device Contact access permission

Once you Installed the Sarahah App, immediately it will access your Mobile and Email contacts and uploaded to the sarahah Database. Around 54% of users still using Android 5.0 which show prompts to access contact information.

sarahah

Email & Mobile Contact Information

We could see in the Below image that, User Phone number transferring into Sarah Database which is intercepted through Burp Suite.

sarahah

Uploaded Phone Contacts

Below Image shows the information about the Stealing Email Contacts details from the User.

sarahah

Uploaded Email Contacts

Above 6.0 version Manually asking Permission to access the user contacts information. It immediately uploads the contact information to their database once user allowed to access the contacts information.

According to bishopfox Senior Security Analyst Zach Julian Research,Extrapolating this by 10 to 50 million users on Android alone means it’s possible Sarahah has harvested hundreds of millions of names, phone numbers, and email addresses from their users. Overall, Sarahah does not provide enough information for users to make an informed decision whether using the application is worth sharing this sensitive data.

Also, it gathers information about the Device Location, country Location, Geolocation as like other apps.

sarahah

Location Information

Since this Application has been installed more than 10 Million users, almost Millions of sensitive information stolen from installed users. but the company has said, “the Sarahah database doesn’t currently hold a single contact”.

Balaji
Balaji
BALAJI is an Ex-Security Researcher (Threat Research Labs) at Comodo Cybersecurity. Editor-in-Chief & Co-Founder - Cyber Security News & GBHackers On Security.

Latest articles

Quishing via QR Codes Emerging as a Top Attack Vector Used by Hackers

QR codes, once a symbol of convenience and security in digital interactions, have become...

New ‘BYOTB’ Attack Exploits Trusted Binaries to Evade Detection, Researchers Reveal

A recent cybersecurity presentation at BSides London 2024 has unveiled a sophisticated attack technique...

SAML Bypass Authentication on GitHub Enterprise Servers to Login as Other User Account

A severe security vulnerability, tracked as CVE-2025-23369, has been identified in GitHub Enterprise Server...

NanoCore RAT Attack Windows Using Task Scheduler to Captures keystrokes, screenshots

NanoCore, a notorious Remote Access Trojan (RAT), continues to pose a significant threat to...

Supply Chain Attack Prevention

Free Webinar - Supply Chain Attack Prevention

Recent attacks like Polyfill[.]io show how compromised third-party components become backdoors for hackers. PCI DSS 4.0’s Requirement 6.4.3 mandates stricter browser script controls, while Requirement 12.8 focuses on securing third-party providers.

Join Vivekanand Gopalan (VP of Products – Indusface) and Phani Deepak Akella (VP of Marketing – Indusface) as they break down these compliance requirements and share strategies to protect your applications from supply chain attacks.

Discussion points

Meeting PCI DSS 4.0 mandates.
Blocking malicious components and unauthorized JavaScript execution.
PIdentifying attack surfaces from third-party dependencies.
Preventing man-in-the-browser attacks with proactive monitoring.

More like this

OpenAI Data Breach – Threat Actor Allegedly Claims 20 Million Logins for Sale

Threat actors from dark web forums claim to have stolen and leaked 20 million...

Globe Life Ransomware Attack Exposes Personal and Health Data of 850,000+ Users

Globe Life Inc., a prominent insurance provider, has confirmed a major data breach that...

BeyondTrust Zero-Day Breach – 17 SaaS Customers API Key Compromised

BeyondTrust, a leading provider of identity and access management solutions, disclosed a zero-day breach...