Sarahah

According to what can be read on The Next Web page, a British researcher has reported numerous security flaws in the Sarahah application, which is all the rage among teenagers. Sarahah, in Arabic, means honesty. And although many are using the application to harass or practice bullying, the purpose of the application is exactly the opposite: to compliment our fellow men. The security problems to which they refer are confined exclusively to the desktop version of the Sarahah application, leaving its mobile version free for the moment.

Lots of bugs plague the web version of Sarahah

Scott Helme, a researcher, found that the CSRF virus protection on Sarahah's website was extremely easy to break. The CSRF virus is tremendously harmful and dangerous, being able to take control of our account, carrying out operations unrelated to our use. An attacker, explains Helme, could use our account to bookmark other unknown accounts, in order to profit financially.

he also points out that last August another researcher named Rony Das also discovered more security holes. Specifically, it found an XSS vulnerability. In short: a hacker could insert malicious code into the HTML of Sarahah's page, which could include viruses and spyware.

Other issues: Helme identified serious errors in the security header, which prevents the use of an HSTS security protocol. This is a tool that is increasingly used to fight against hijacking of cookies and the possibility of an attack taking advantage of old versions of the web. Helme's job is to try to get Sarahah to properly protect her users. As the web states, its great competitor, Ask.fm, is a site riddled with errors and security flaws. So, what better than Sarahah to learn from the failures of this one and become a safe web page.

Harassment and teardown: the danger of Sarahah on the web

Regarding the security and anti-harassment filter, the researcher also has something to say. He has noticed that, for example, in the sentence 'I would kill for a cheeseburger', the application would delete the post, since it finds a negative word, 'Kill'.However, if a comma was placed after 'Would kill', the application would ignore it. Yes, it's not grammatically correct, but the message would get through anyway.

And more failures: Sarahah's page has no limits on the speed at which its users write comments, so anyone can suffer a bombardment of harassment, with a simple line of script. Sarahah also doesn't have any mass delete function, so if we are victims of a bombardment of comments, we must delete them one by one.

In addition, to reset the password in Sarahah, the website only asks the user for the email address associated with the account. Once requested, the system generates a new one and sends it automatically to the user. In this sense, a hacker could change a script line so that the password would change every moment, and thus it would be impossible for the owner of the account to access it.This same script could also be used to make access to the account unsuccessful, even if the password is valid. Sarahah locks all user accounts that have more than 10 login attempts.

The researcher later contacted Sarahah to inform her of all thisavalanche of security breachesin her web version. An investigation that has taken months of his time and that can finally make the Sarahah application a community free of harassment and premeditated cyberattacks.