Plain Vanilla’s smartphone game QuizUp has found itself in the middle of a security storm.
It was discovered that not only does the game freely send an unencrypted copy of a user’s personal details back and fourth between servers, but it also mines the same data for a user’s entire contact list.
“Through my research into the way the app functioned it became apparent that they weren’t just exposing private information but were actively breaking numerous rules, policies, security best practices, and actively deceiving their users,” Richter found.
“In the case of QuizUp they actually send you other users’ personal information via plain-text (un-hashed); right to your iPhone or iPod touch. This information includes but isn’t limited to: full names, Facebook IDs, email addresses, pictures, genders, birthdays, and even location data for where the user currently is.
“I have been able to access the personal information of hundreds of people who I have never met, and had no interaction with other than we both used QuizUp. These people likewise had access to my personal information. It is important to keep in mind these were not people who added me as friends inside of the app, these were complete strangers in every sense.”
Plain Vanilla has since said that an update ‘fixing’ the issue is currently in submission with Apple, adding that the information in question was never stored on their servers.
However, as we’re talking about a design issue here as opposed to a bug, how much comfort that will bring is a matter of debate.