Secret-sharing app Whisper failed to keep users' fetishes and locations private

Launched in 2012, the Whisper app declared itself to be a place where anyone could post their private thoughts and extreme confessions anonymously. In its promotional material it describes itself as “the largest online platform where people share real thoughts and feelings… without identities or profiles.”

Tens of millions of active users every month trust Whisper with their secrets, seemingly unafraid of being identified as they share everything ranging from guilty pleasures and personal struggles to bad boyfriends and taboo fetishes.

The one thing that all users had in common was that they believed their sometimes extreme confessions were being posted safely, without danger that they could be identified.

But now security researchers have raised the alarm after discovering that hundreds of millions of Whisper users’ intimate messages, tied to their locations, were publicly available.

As The Washington Post reports, a Whisper database was left exposed on the internet for anybody to access – no password required.

Matthew Porter and Dan Ehrlich of Twelve Security revealed that they had been able to access almost 900 million user records, dating from the app’s release in 2012 to the present day.

Fortunately the exposed records did not include users’ real names. But it did include information they had attached to their profile – which included age, ethnicity, gender, hometown, nickname, and membership of any particular Whisper groups. As The Washington Post points out, many Whisper groups are focused on sexual desires and fetishes.

That would be bad enough, and reason to be alarmed due to Whisper’s apparent lax security, but the database also included the location co-ordinates of users’ last submitted post – likely to point back to specific workplaces, military bases, neighbourhoods, and schools.

It’s easy to imagine how someone might be put in danger or blackmailed if their private thoughts or sexual orientation were linked to their true real-life identity.

Whisper, which was informed of the problem earlier this week, has since restricted access to the database, whilst disputing the seriousness of the data breach in a statement:

Lauren Jamar, a vice president of content and safety at Whisper”s parent company, MediaLab, said in a statement that the company strongly disputed their findings. The posts and their ties to locations, ages and other data, she said, represented “a consumer facing feature of the application which users can choose to share or not share.”

One concern is that the data was available to download in its entirety, compounding the risk to users – especially if it was combined with other sensitive data sets.

The researchers, however, said the fact that the unprotected intimate data was available for download en masse was particularly concerning — and warned of the potential for it to be combined with other sensitive data sets, putting users’ privacy at even greater risk.

And there certainly does appear to be plenty of sensitive information in the exposed data which, in the wrong hands, could be weaponised through extortion and threats.

For instance, almost 100,000 accounts were marked as banned for having solicited minors, and another field in the database gave users a “predator_probability” score (Some 9000 users had been given a score of 100%).

Researcher Dan Ehrlich described Whisper’s failure to keep the data private as “grossly negligent,” and I can’t help but agree.

Whisper’s dirty little secret was that for eight years it left this information exposed for anyone to access. And now it doesn’t appear to even be that sorry about it.