Yik Yak, an app that acts as a local anonymous message board, makes it possible to find the precise locations and unique IDs of users, Motherboard reports† A researcher analyzing Yik Yak data had access to accurate GPS coordinates of where messages and comments came from, accurate to within 10 to 15 feet, and says he his findings with the company in April.
First launched in 2013, Yik Yak was popular on college campuses, where it was often used to gossip, post updates and cyberbullying other students. After declining relevance and failed attempts to moderate content, the app shut down in 2017, only to rise from the dead last year. in Nov, the company said: it had passed 2 million users.
Motherboard spoke with David Teather, a computer science student based in Madison, Wisconsin, who raised the security concerns at Yik Yak and then published his findings in a blog post† The app shows posts from nearby users, but only displays an approximate location, such as “about 1 mile away,” up to five miles, to give users an idea of where updates in their community are coming from.
While Yik Yak promises anonymity, Teather points out that combining GPS coordinates and user IDs could de-anonymize users and find out where people live, as many are likely using it from home and the data is as close as 10 to 15 feet. be accurate. That combination of information could be used to stalk or monitor a particular person, and Teather mentions that the risk could be higher for people living in rural areas where houses are more than 10 to 15 feet apart. removed, as a GPS location could limit a user to one address.
if Motherboard reports, the data is accessible to researchers like Teather, who know how to use tools and write code to extract information — but the risk was real enough to prompt Teather to bring it to Yik Yak’s attention.
I discovered that @YikYakApp exposes millions of user locations by sending accurate GPS coordinates of all messages and comments (accurate to within 10-15 feet) to the app, these can be collected by malicious actors to track user locations.https://t.co/pgT809okv7
— David Teather (@david_teather) May 9, 2022
“Because user IDs are persistent, it is possible to find out a user’s daily routine of when and where they post YikYaks. This can be used to find out the daily routine of a particular YikYak user,” Teather writes. He mentioned other ways the data could be misused, such as finding out where someone lives, monitoring users, or breaking into someone’s home when they’re not there.
Yik Yak did not respond to a request for comment from The edge.
According to motherboard, the latest version of the app released by Yik Yak no longer reveals the exact location and user IDs, but Teather says he can still retrieve that information with previous versions of the app.
“If YikYak took this more seriously, they would limit the return of these fields and break older versions and force users to upgrade to a newer version of the app,” he wrote in the blog post.