According to a researcher, the anonymous bulletin board software, Yik Yak is structured in such a manner that it is easy to view users’ unique IDs and know the geographical location of their posts, possibly allowing someone to dox and stalk them.
In April, computer science student David Teather investigated what sort of data Yik Yak exposes by intercepting data transmitted and received by his Yik Yak app using mitmproxy, a free and open-source tool, and building “code that pretended to be the Yik Yak app to extract information from it.” According to a blog post he published this week, he discovered that Yik Yak sent the precise GPS coordinates of every post to his app, as well as a user’s unique ID, which could have allowed him to track users’ posts by looking at where they posted over time, potentially allowing him to de-anonymize and stalk users.
When users join up for the app, it tells them that “Yik Yak is a social messaging board that links you with people around you anonymously.” “On Yik Yak, anonymity makes it enjoyable and easy to join discussions and contribute your opinions without being identified.” According to Teather and another privacy researcher who examined and recreated Teather’s study for Motherboard, disclosing the specific location and unique IDs of its anonymous users increases the danger of doxing and stalking.
Yik Yak made certain improvements after Teather informed them of the vulnerability on April 11, and fresh versions of the app were released on April 28, May 9, and May 10. According to email conversations supplied with Motherboard by Teather, he notified Yik Yak that he planned to publish his results on May 9.
Multiple requests for comment from Yik Yak went unanswered.
According to Teather, the privacy problems are only partially resolved after Yik Yak released the new updated applications.