Top social and dating apps, including Instagram, OkCupid, GroupMe, and Grindr, could give hackers access to what users think are private messages, according to research from the University of New Haven’s Cyber Forensics Research and Education Group.
Back in April, the researchers found vulnerabilities in WhatsApp and Viber, which prompted changes by both companies.
With that success, the team decided to conduct a more comprehensive study on messaging apps, the group’s director, Ibrahim Baggili, told The Huffington Post in an email. Over the last two months, the researchers looked at 21 different Android apps: Instagram, OkCupid, ooVoo, Tango, Kik, Nimbuzz, MeetMe, MessageMe, TextMe, Grindr, HeyWire, Hike, textPlus, Words With Friends, Vine, Line, MyChat, WeChat, GroupMe, Whisper, and Voxer.
To test the apps, Baggili and his team used analysis tools to check transmissions between an Android phone and an iPad. Baggili said they found that over a dozen of the Android apps do not encrypt stored data and don’t require people to log into an account to view it. That means the information is readable and accessible by hackers, who can intercept data (like your naked pics) being sent over a wireless network.
Baggili, whose Ph.D. research at Purdue University focused on information security and cyber forensics, said that instead of releasing one long report, the team decided to release the results as five separate videos, which will go live on their YouTube channel at 12 a.m. EST every day for a week, starting on Monday. The first video focuses on Instagram, OkCupid, and ooVoo.
In their initial YouTube post, the researchers detail how they used NetworkMiner, an online tool that allows anyone to see unencrypted data being sent over a Wi-Fi network, to search OkCupid chats for key phrases. The team could see chats and the users sending and receiving them. They also found old images stored on Instagram and ooVoo, according to the video.
Researchers accessed unencrypted Instagram Direct photos.
In a subsequent video, not yet posted to YouTube but shared with The Huffington Post, the researchers show how they could intercept Grindr messages because transmissions via its network are stored with “http” links, not https. Further videos will also address MessageMe, Tango, HeyWire, and textPlus.
“We wanted to have a fun way of releasing our results without boring people to death in one really long video,” Baggili said of the choice to release several short YouTube clips. University of New Haven graduate students Jason Moore and Armindo Rodrigues and undergraduate Daniel Walnycky helped Baggili conduct his research.
The team reported the findings to the respective companies, Baggili said. But as of Monday afternoon, they had yet to hear back.
Nineteen of the 21 companies the researchers tested did not respond to requests for comment from HuffPost on Monday. In a statement, Grindr said, “We monitor and review all reports of security issues regularly. As such, we continue to evaluate and make ongoing changes as necessary to protect our users.” GroupMe said the company was “investigating.”
(h/t Venture Beat)