Yik Yak Exposes Precise Locations, Unique IDs for Anonymous Users

pcmag.com:

Yik Yak, the anonymous social platform that was brought back from the dead in August 2021, has reportedly been revealing the precise locations and unique IDs associated with its users.

The exposed data was discovered(Opens in a new window) by David Teather, a computer science student at the University of Wisconsin-Madison, who disclosed the issue to Yik Yak on April 11. The company addressed part of the problem on May 8; Teather publicly revealed the flaws on May 9.

"I was able to access the precise GPS coordinates (accurate to within 10-15ft) of all posts and comments on the YikYak [sic] platform," Teather says, which "leaves at least 2 million users(Opens in a new window) at risk." (At least—Yik Yak hasn't publicly revealed how many users it has since November 2021.)

Teather also discovered that every post and comment on Yik Yak is associated with a unique user ID. The company released an update to address this problem on May 8, but according to Teather, someone could still de-anonymize users with "a few minutes of guessing."

Teather's findings demonstrate the problem with taking any ostensibly private service at its word. While some amount of location sharing is to be expected from a service like Yik Yak, its users probably didn't expect to have their exact whereabouts to be revealed, or tied to unique user IDs.

Yik Yak didn't immediately respond to a request for comment. The company does note in an update(Opens in a new window) about the re-release of its Android app that it's been working on a new API—presumably the one affected by these flaws—and that it "ran into a few unexpected hurdles" recently.

Sign up for What's New Now to get our top stories delivered to your inbox every morning.

This newsletter may contain