Just when it seemed like the controversy surrounding anonymous message posting app Whisper was calming down, the company is facing new accusations. And the app maker is fighting back tooth and nail.
A security startup, Xipiter, has published a long blog post full of scathing allegations about Whisper, including a video that it says demonstrates a security hole it says it found.
That hole allegedly allows an attacker to hijack somebody’s account, seeing the secret messages they sent, and sending fake messages.
Whisper’s co-founder Michael Heyward and its CTO Chad DePue talked to Business Insider and told us it is simply not possible to do such things with its app. Heyward claims the video and other claims are “ridiculous,” “bizarre” and “doctored.”
Whisper tells us that it doesn’t store copies of the messages. If messages are stored, they are stored on users’ phones, not a server or cloud somewhere that a user can hack.
Here’s the video the security firm published:
Whisper’s Heyward sent us what it claimed was evidence of how the video is doctored, two photos showing what it says is a mistake in the fake video. The allegedly captured private messages weren’t sent to a phone were not an exact match. One of them was missing a sentence. “This is a secure message. how are you?”
That evidence that was hotly refuted by Xipiter principal Stephen Ridley, a principal at Xipiter.
We weren’t looking at a mistake, he told us, we were looking at messages that were captured in a random order by tapping into the “application programming interface” from TigerText, the service Whisper relies on to send private messages, he told us.
Ridley, we should point out, is not a security fly-by-night. He’s the former CSO at Simple Finance, speaks at some prestigious security conferences (he just gave this Nike Tech Talk), and his firm, Xipiter, is known for a successful Kickstarter project — a product called the USB Condom.
The interaction between the two sides is really odd.
Whisper says that it reached out to the Xipiter researchers to discuss the holes and could not get reach anyone but an admin. Ridley, however, answered our email and returned our call within minutes.
Ridley says the admin promptly called Whisper back to set up a meeting which was to happen this week. But then Xipiter also went ahead and published its scathing blog post before that meeting took place.
Ridley says all of Whisper’s efforts were really to get Xipiter to join its “bug bounty” program where security researchers can get paid for reporting holes they find. Those programs often require researchers to sign non-disclosure agreements.
“We don’t want their money. We make our own money,” Ridley told us. He didn’t want to sign an NDA because he feels Whisper “has a history of public denials” and he wanted people to understand the risks of anonymous apps and “highlight the broader privacy conversations we’ve been having,” he says.
A Whisper spokesperson indicated to us that Xipiter is really just looking for its 15 minutes of fame, and Ridley didn’t deny it. “What we get from doing this? Eyes on us,” he said.
So who is telling the truth?
If the hole is for real, independent security researchers will validate it and Whisper will be caught out. If it’s not real, Xipiter and Ridley will be outed and their reputations ruined.
Ridley tells us he has now asked independent security people to do just that, confident they will exonerate Xipiter.
Meanwhile, Whisper isn’t giving an inch. In addition to a phone call from Heyward and DePue, a spokesperson said Whisper has a point-by-point rebuttal of every accusation Xipiter has made. When we get it, we’ll add it to this story.
Everyone, including us, agrees on one thing: the situation is bizarre.