Yik Yak, an app that acts as a local anonymous message board, makes it possible to find users’ exact locations and unique IDs. motherboard reports. A researcher analyzing Yik Yak data was able to access precise GPS coordinates of where posts and comments came from, to within 10 to 15 feet, and said he shared his findings with the company in April.
First launched in 2013, Yik Yak was popular on college campuses, where it was often used to gossip, post updates, and cyberbully other students. After dwindling relevance and failed attempts at content moderation, the app was shut down in 2017, only to rise from the dead last year. In November, said the company it had passed 2 million users.
motherboard spoke to David Teather, a computer science student from Madison, Wisconsin, who brought the security concerns to Yik Yak and published his findings in a blog post. The app shows posts from nearby users, but only shows approximate locations, e.g. B. “about 1 mile away” up to five miles to give users a sense of where updates are coming from in their nearby community.
Although Yik Yak promises anonymity, Teather points out that the combination of GPS coordinates and user IDs could de-anonymize users and find out where people live, as many are likely using it from home and the dates to 10 to 15 feet are accurate. This combination of information could be used to track or watch a specific individual, and Teather mentions that the risk could be higher for people in rural areas where homes are more than 10 to 15 feet apart since a GPS location a user could narrow down to an address.
When motherboard The data is reportedly accessible to researchers like Teather who know how to use tools and write code to extract information – but the risk was real enough to prompt Teather to bring it to Yik Yak’s attention.
I discovered that @YikYakApp Exposes millions of user locations by sending precise GPS coordinates (to within 10-15 feet) of all posts and comments to the app. These can be harvested by malicious actors to track user locations.https://t.co/pgT809okv7
— David Teather (@david_teather) May 9, 2022
“Because user IDs are persistent, it is possible to find out a user’s daily routine of when and where they post YikYaks, this can be used to find out a specific YikYak user’s daily routine,” Teather writes. He listed other ways the data could be misused, such as finding out where someone lives, monitoring users, or breaking into someone’s house when they’re not there.
Yik Yak did not respond to a request for comment from The edge.
Corresponding motherboard, The latest version of the app released by Yik Yak no longer shows precise location and user IDs, but Teather says it can still get this information using previous versions of the app.
“If YikYak took this more seriously, they would limit the return of these fields and break older versions and force users to upgrade to a newer version of the app,” he wrote in the blog post.