Categories: Data Breach

Beware : Sarahah App Secretly Spying Your Mobile and Steal Your Email & Contact List

Most Trending Mobile Application “Sarahah” Secretly Spying users Mobile and uploading their contacts list into sarahah database.

It uses to receive feedback from friends and employees which have impressed more than 15 million users around the globe based on downloads from both Apple and Google Play Store.

Its Privacy Policy says “We didn’t design this website to collect your personal data” but This App didn’t follow the Promise and collecting more information along with Feedback.

we GBHackers On Security also have Investigated with our Lab Enviroment  and we have Found another information that, it transfers the Login Credentials in Plain Text Apart from Contacts Information that has been Discovered by bishopfox Senior Security Analyst Zach Julian.

How Does Sarahah Spying & Stealing the Personal Information

Once it installed into users mobile, sarahah will attempt to send all the phone and Email contact to sarahah server.

According to we GBHackers Investigation, Sarahah’s Transfering Credentails in Plan Text which is Potentially Vulnerable to Man-in-the-Middle Attack (MITM) that alow attackers to Steal the Credentials when Data in transit.

Credentials in Plaintext

This upload process happens with both android and iOS, many old version of mobiles infected more than newly updated version.

Especially, Android 6.0 + version used to force the users to Manually allow the permission for the access. But earlier version doesn’t have the further prompt about accessing contacts beyond the Play Store permissions.

Device Contact access permission

Once you Installed the Sarahah App, immediately it will access your Mobile and Email contacts and uploaded to the sarahah Database. Around 54% of users still using Android 5.0 which show prompts to access contact information.

Email & Mobile Contact Information

We could see in the Below image that, User Phone number transferring into Sarah Database which is intercepted through Burp Suite.

Uploaded Phone Contacts

Below Image shows the information about the Stealing Email Contacts details from the User.

Uploaded Email Contacts

Above 6.0 version Manually asking Permission to access the user contacts information. It immediately uploads the contact information to their database once user allowed to access the contacts information.

According to bishopfox Senior Security Analyst Zach Julian Research,Extrapolating this by 10 to 50 million users on Android alone means it’s possible Sarahah has harvested hundreds of millions of names, phone numbers, and email addresses from their users. Overall, Sarahah does not provide enough information for users to make an informed decision whether using the application is worth sharing this sensitive data.

Also, it gathers information about the Device Location, country Location, Geolocation as like other apps.

Location Information

Since this Application has been installed more than 10 Million users, almost Millions of sensitive information stolen from installed users. but the company has said, “the Sarahah database doesn’t currently hold a single contact”.

Balaji

BALAJI is an Ex-Security Researcher (Threat Research Labs) at Comodo Cybersecurity. Editor-in-Chief & Co-Founder - Cyber Security News & GBHackers On Security.

Recent Posts

Evasive Panda Attacking Cloud Services To Steal Data Using New Toolkit

The Evasive Panda group deployed a new C# framework named CloudScout to target a Taiwanese…

5 hours ago

Massive Midnight Blizzard Phishing Attack Using Weaponized RDP Files

Researchers warn of ongoing spear-phishing attacks by Russian threat actor Midnight Blizzard targeting individuals in…

6 hours ago

Sophisticated Phishing Attack Targeting Ukraine Military Sectors

The Ukrainian Cyber Emergency Response Team discovered a targeted phishing campaign launched by UAC-0215 against…

6 hours ago

Chinese Hackers Attacking Microsoft Customers With Sophisticated Password Spray Attacks

Researchers have identified a network of compromised devices, CovertNetwork-1658, used by Chinese threat actors to…

6 hours ago

New Windows Zero-Day Vulnerability Let Attackers Steal Credentials From Victim’s Machine

A security researcher discovered a vulnerability in Windows theme files in the previous year, which…

6 hours ago

SYS01 InfoStealer Malware Attacking Meta Business Page To Steal Logins

The ongoing Meta malvertising campaign, active for over a month, employs an evolving strategy to…

6 hours ago