26 Nov 2013

QuizUp Sends Personal User Info To Strangers

It’s only been two-and-a-half weeks since hit mobile trivia app QuizUp began to take the world by storm. It’s fun, and it’s addictive*… but if you haven’t started playing yet, you might want to wait a little bit before downloading the app and connecting it to Facebook. That’s because one software developer claims to have uncovered what he views to be privacy issues with the way that QuizUp stores and shares personal information. Updates below.

Kyle Richter, a software developer and CEO of Dragon Forged Software (full disclosure: a competitor of sorts to QuizUp), wrote a blog post yesterday detailing how QuizUp shares the personal information of its users with their opponents in plain text. According to Richter, that information includes but is not limited to “full names, Facebook IDs, email addresses, pictures, genders, birthdays, and even location data for where the user currently is.”

We spoke to Richter about his article, and asked additional questions to follow up after we received a response from Plain Vanilla, the publishers of QuizUp.

It’s important to note that the information users have access to is not that of friends, but of strangers that they’re playing matches against, Richter writes. Facebook tokens are also sent over SSL but in plain text, which means that if you’re tech savvy enough you could intercept it, though the app does not have posting permissions.

Just as importantly, QuizUp appears to store your personal contact data after you give it access to your address book, presumably to invite other users to join you in playing the game. Richter writes:

“When access is granted, all of your contact’s emails are sent, once again in plain text, to QuizUp’s servers. This is done under the deception that you are hand inviting your friends on a one by one basis via SMS, while in the background it is copying and transmitting their contact data.”

As a note, the data transmitted was done so over SSL, and required interception and translation by a proxy tool. Not something likely to happen to most users.

Read the full story >>

Filled Under:


Post a Comment