[Update Feb 9 midnight]
Hipster CEO, Doug Ludlow, apologies and promises updates to opt-in to email harvesting.
[Original post]
Inspired by this post (which you should all read), I looked at the apps on my own iPhone for information leakage by other apps. I figured this would be common practice, and lo and behold, when booting up Hipster, it seems like parts of my iPhone address book were being uploaded to Hipster. Here’s the breakdown, done in the style of Arun Thampi (the author of the first post).
Creating an Account
Hipster starts with a POST to api.hipster.com/v1/people
Worth noting, this is not over HTTPS, and it sends your info, including password and iPhone UID in plaintext. Ugh.
Okay, not terrible.
Several other transactions happen here, giving us acknowledgment of your login and creation of an account and user ID, and the public “Popular” feed is returned.
Sadly, the badness happens when you go to add your friends from the More > Find Friends menu option.
Badness
The Hipster app, in an unsecured HTTP GET request, sends a big chunk of your iPhone address book in the form of an email param that includes a comma-separated list of email addresses. WAT. Here it is, with the big block of email addresses redacted.
Okay, that’s enormous. Let’s just get the important bits. The HTTP GET goes to:
api.hipster.com/v1/me/friends_lookup?auth_token=[redacted]&emails=[…]
Boy. Thanks, Hipster.
The Issue
As was addressed in the other post, this is offensive for a few reasons:
- Hipster never asked me for permission to send my address book emails to them.
- Hipster does not say anything (AFAIK) about if they are storing those emails or what.
- The Hipster app allows you to deselect the “Contacts” button when looking for new friends, but it is enabled by default. Therefore, there is no way to avoid sending address book emails to Hipster, as far as I can tell.
Thanks to the original article on Path. While it is up for debate how much of a negative impact this has on an individual’s privacy, I feel these two examples (which were easy to come by) point toward a state of lax privacy attitudes among some of the leading edge of socially-minded consumer applications.
Time to clean up a bit, right?
Comments below, or hit me up on Twitter, @mchang
-
filmes-no reblogged this from markchang
-
nervous-noodle reblogged this from markchang
-
filmes-no likes this
-
alythebird likes this
-
schaumburg-restaurants reblogged this from markchang
-
schaumburg-restaurants likes this
-
grantstogobacktoschool likes this
-
securedloans2012 reblogged this from markchang and added:
second mortgage
-
securedloans2012 likes this
-
nrgmovers reblogged this from markchang
-
nrgmovers likes this
-
bookofra452 likes this
-
liareuben likes this
-
markchang posted this
