Earlier this year, people began> sharing links to an anonymous messaging platform called Sarahah - which is the Arabic word for honesty.
The platform gave people the opportunity to send anonymous messages to each other directly on the server. Months down the line, the app was still getting >traction.
But, online publication The Intercept recently uncovered the app's not-so-honest functionality in an article published on Aug. 27 titled 'Hit App Sarahah Quietly Uploads Your Address Book.'
In it, writer Yael Grauer reveals the app's uploading of users’ phone contacts to the company’s servers. The article references the person who made the initial discovery: Zachary Julian.
Julian, a senior security analyst at Bishop Fox, >discovered the app's hijacking of private information using a monitoring software known as BURP Suite.
"As soon as you log into the application, it transmits all of your email and phone contacts stored on the Android operating system," he said, later confirming the same happens on iOS.
The app's founder responded via a tweet
The app's creator Zain al-Abidin Tawfiq - who is based in Saudi Arabia - responded via a series of tweets following The Intercept's published piece.
Tawfiq explains that the syncing contacts functionality had initially been intended for a "find your friends' feature," which was eventually delayed due to technical issues.
Tawfiq said that the functionality was meant to be removed but a former partner - who is no longer working with the team - "missed" that, >according to The Intercept.
Tawfiq also confirms that the "functionality was, however, removed from the server and that Sarahah stores no contacts in its databases."
The Intercept says "this is impossible to verify."
On both iOS and Android, the app does ask for permission to one's phone contacts, however, it does not disclose that it uploads such data.
Most users who grant the app access probably expect it to "add some sort of functionality."
Except currently, it does nothing of the sort.
"It’s no longer that you have to worry about the data on your phone, it’s that you have to worry about the data on your phone that’s somewhere else that you have no control over being compromised," Drew Porter, founder of security firm Red Mesa, >told The Intercept.
"I do find it concerning, mostly because the information that the company may be getting could be what other people consider very private, and you don’t know the security of the company that is getting it," Porter added.