Hacking. Disinformation. Surveillance. CYBER is Motherboard’s podcast and reporting on the dark underbelly of the internet.
The anonymous message board app Yik Yak is designed in a way that it is possible to get the precise location of a user’s post, and see users’ unique IDs, potentially allowing someone to dox and stalk users, according to a researcher.
Yik Yak is an anonymous social media network popular primarily on college campuses. It was launched in 2013. The app shut down in shut down completely in 2017, after it was accused of being a platform used to harass and cyberbully students, and even to post bomb threats. These allegations have followed the app since its very beginning. In 2014, the company blocked access to middle school and high school students because of reports of threats of violence and bullying. The app came back last year, a comeback no one was really asking for, as my colleague Gita Jackson pointed out at the time. Yik Yak does have so-called “community guardrails” to “to ensure everyone feels welcomed and stays safe.” But students are still reporting the same old problems.
In April, David Teather, a computer science student, analyzed what kind of data Yik Yak exposes by intercepting data sent and received by his Yik Yak app using a free and open source tool called mitmproxy and by writing “code that pretended to be the Yik Yak app to extract information from it.” By doing that, he realized that Yik Yak sent the precise GPS coordinates of every post to his app, as well as a user’s unique ID—nrCi213RA3SncY6mVLZzuGUIJ2T2 for example—which could have allowed him to track users’ posts by looking at where they posted over time, opening up the possibility to de-anonymize and stalk users, according to a blog post he published this week.
Teather demonstrated the flaw in a video call to Motherboard, showing a post in his area, and its GPS coordinates.
“Is the ac on at the Nick rn,” read the post.
The post’s coordinates showed it was sent from a location a block away from Nicholas Recreation Center, on the University of Wisconsin-Madison’s campus. The rec center is known as the “Nick.”
“Combining these two pieces of information it is possible to de-anonymize users.”
It’s important to note that on the app, a user can only see distance displayed as “~ 3 mi” or “Manhattan.” But Yik Yak actually transmits more granular data to the app, allowing someone like an auditor or a researcher who knows how to use tools like the one Teather used to see much more precise, and potentially dangerous, data.
The whole point of Yik Yak, an app with at least 2 million users, is that its users are supposed to be anonymous.
“Yik Yak is a social message board that connects you with people around you anonymously,” the app tells users when they sign up. “Anonymity on Yik Yak makes it fun and easy to jump into conversations and share your thoughts without labels.”
So exposing the precise location and unique IDs of its anonymous users creates the risk of doxing and stalking them, according to Teather and another privacy researcher who reviewed and reproduced Teather’s research for Motherboard.
“Combining these two pieces of information it is possible to de-anonymize users, since people are more likely to use their phones thus Yik Yak at home it’s possible to figure out the area where a user lives within 10-15 feet,” Teather wrote in his blog post.
After Teather alerted Yik Yak of this flaw on April 11, the company made some changes and pushed out new versions of the app on April 28, May 9, and May 10. Teather told Yik Yak that he was planning to publish his research on May 9, according to email correspondence that he shared with Motherboard.
Yik Yak did not respond to multiple requests for comment.
After Yik Yak pushed the new updated apps, the privacy issues are only partially fixed, according to Teather.
Teather said that as of today, on the app’s latest version, Yik Yak does not expose GPS locations, and the app doesn’t display a user’s unique ID when intercepting data the same way he did in April. But, Teather told Motherboard that he is still able to recover both coordinates and user ID by analyzing the app’s API from previous app versions.
What’s worse, the app now shows the distance, in feet, between a user and other users’ posts, according to Teather and Zach Edwards, an independent privacy researcher who analyzed the Yik Yak app for Motherboard.
“Since the distance is in feet though it should be still possible to triangulate a particular user/post by changing your location until you can figure that out,” Teather told Motherboard.
Edwards said “you can still probably dox someone by merely spoofing your own location and recording the number of feet from the person posting.”
“Since mobile apps basically have no way to confirm if someone is spoofing their location in a creative way, if you let someone basically submit a [latitude longitude] ‘for themselves’ while requesting someone else’s content, and then since Yik Yak delivers back the ‘Distance’ field, you can then attempt to spoof a variety of lat/long fields closer and closer to your intended target,” Edwards explained.
Do you have information about similar privacy issues in other apps? We’d love to hear from you. You can contact Lorenzo Franceschi-Bicchierai securely on Signal at +1 917 257 1382, Wickr/Telegram/Wire @lorenzofb, or email email@example.com
This is possible thanks to a method called “trilateration,” which is often confused with “triangulation.” The idea is relatively simple. If you get someone’s distance from where you are, even if you don’t know in which direction that distance is, you can figure out the exact location by combining the distance measurements from three different points. This is a common problem for apps that show other users’ distances from you, such as Tinder, or Grindr.
In his email correspondence with Yik Yak Teather proposed a series of solutions. The best one, according to him, is for the app to modify the location data in order to make it less accurate. This could have been done by removing decimal places from the GPS coordinates, as well as randomizing the actual coordinates so they are not the real ones.
“We’re working on fixes to stop exposing user IDs to clients and soften how location is exposed,” a Yik Yak employee told Teather in an email where he also asked him to delay the publication of his blog post. Teather agreed, and since then Yik Yak has not contacted him again, according to Teather.
The fact that Yik Yak still exposes the distance in feet—something Edwards called a “horrible decision”—has not removed the doxing risks. Randomizing the distance, just like he proposed in regards to the GPS coordinates, would protect users’ privacy.
“You wouldn’t even be able to really tell in the app that these changes had happened. And it would protect user privacy better. I don’t really know why they haven’t done that,” Teather told Motherboard.
Back in April, Teather analyzed data from several posts shown in his Yik Yak app from where he lives, in Madison, Wisconsin. He then created a map showing the locations of Yik Yak posts. To protect people’s privacy, Tether wrote in his blog post, he randomized GPS locations—just like he suggested Yik Yak—and “restricted the radius of visualized points to only include high density blocks, so that individual points cannot be pinned to a particular address.”
This allowed him to see that to make some general observations about the app’s users, such as that the app is used by college students mostly in dorms and libraries.
But looking at the data more closely, someone with malicious intent could learn much more private information about Yik Yak users.
Subscribe to our cybersecurity podcast, CYBER.