Thousands of people trusted Blind, an app-based “anonymous social network,” as a safe way to reveal malfeasance, wrongdoing and improper conduct at their companies.
But Blind left one of its database servers exposed without a password for more than a month, making it possible for anyone who knew where to look to access each user’s account information and identify would-be whistleblowers.
The South Korea-founded company made its way into the U.S. in 2015, when it quickly became a highly popular anonymous social network for major tech companies, touting employees from Apple, Facebook, Google, Microsoft, Twitter, Uber, and more. Blind last month secured another $10 million in new funding after a $6 million raise in 2017. But it was only when the social network became the root of several high profile scandals when Blind gained mainstream attention, including revealing allegations of sexual harassment at Uber — which later blocked the app on its corporate network.
The exposed server was found by a security researcher, who goes by the name Mossab H, who informed the company of the security lapse. The security researcher found one of the company’s Kibana dashboard for its backend ElasticSearch database, which contained several tables, including private messaging data and web-based content, for both of its U.S. and Korean sites. Blind said that the exposure only affects users who signed up or logged in between November 1 and December 19, and that the exposure relates to “a single server, one among many servers on our platform,” according to Blind executive Kyum Kim in an email.
Blind only pulled the database after TechCrunch followed up by email a week later. The company began emailing its users on Thursday after we asked for comment.
“While developing an internal tool to improve our service for our users, we became aware of an error that exposed user data,” the email to affected users said.
Kim said that there is “no evidence” that the database was misappropriated or misused, but did not say how it came to that conclusion. When asked, the company would not say if it will notify U.S. state regulators of the breach.
Blind’s chief executive Sunguk Moon, who was copied on many of the emails with TechCrunch, did not comment or acknowledge the exposure.
At its core, the app and anonymous social network allows users to sign up using their corporate email address, which is said to be linked only to Blind’s member ID. Email addresses are “only used for verification” to allow users to talk to other anonymous people in their company, and the company claims that email addresses aren’t stored on its servers.
But after reviewing a portion of the exposed data, some of the company’s claims do not stand up.
We found that the database provided a real-time stream of user logins, user posts, comments and other interactions, allowing anyone to read private comments and posts. The database also revealed the unencrypted private messages between members, but not the associated email addresses of each user. (Given the highly sensitivity of the data and the privacy of the affected users, we’re not posting data, screenshots or specifics of user content.)
Blind claims on its website that its email verification “is safe, as our patented infrastructure is set up so that all user account and activity information is completely disconnected from the email verification process.” It adds: “This effectively means there is no way to trace back your activity on Blind to an email address, because even we can’t do it.” Blind claims that the database “does not show any mapping of email addresses to nicknames,” but we found did find streams of email addresses associated with members who had not yet posted. We should note, though, in our brief review, we didn’t find any content, such as comments or messages, associated with email addresses. Assuming the database disconnected and removed an email address from each member ID, it still could have been possible to know the identity of a user who posts in the future.
Many records did, however, contain plaintext email addresses. When other records didn’t store an email address, the record contained the user’s email as an unrecognized encrypted hash — which may be decipherable to Blind employees, but not to anyone else.
The database also contained passwords, which were stored as an MD5 hash, a long-outdated algorithm that is nowadays easy to crack. Many of the passwords were easily unscrambled using readily available tools when we tried. Kim denied this. “We don’t use MD5 for our passwords to store them,” he said. “The MD5 keys were a log and it does not represent how we are managing data. We use more advanced methods like salted hash and SHA2 on securing users’ data in our database.” (Logging in with an email address and unscrambled password would be unlawful, therefore we cannot verify this claim.) That may pose a risk to employees who use the same password on the app as they login to their corporate accounts.
Despite the company’s apparent efforts to disassociate email addresses from its platform, login records in the database also stored user account access tokens — the same kind of tokens that recently put Microsoft and Facebook accounts at risk. If a malicious actor took and used a token, they could login as that user — effectively removing any anonymity they might have had from the database in the first place.
As well intentioned as the app may be, the database exposure puts users — who trusted the app to keep their information safe and their identities anonymous — at risk.
These aren’t just users, but also employees of some of the largest companies in Silicon Valley, who posts about sexual harassment in the workplace and discussing job offers and workplace culture. Many of those who signed up in the past month include senior executives at major tech companies but don’t realize that their email address — which identifies them — could be sitting plaintext in an exposed database. Some users sent anonymous, private messages in some cases made serious allegations against their colleagues or their managers, while others expressed concern that their employers were monitoring their emails for Blind sign-up emails.
Yet, it likely escaped many that the app they were using — often for relief, for empathy, or as a way to disclose wrongdoing — was almost entirely unencrypted and could be accessed, not only by the app’s employees but also for a time anyone on the internet.
Got a tip? You can send tips securely over Signal and WhatsApp to +1 646-755–8849. You can also send PGP email with the fingerprint: 4D0E 92F2 E36A EC51 DAAE 5D97 CB8C 15FA EB6C EEA5.