Yik Yak, an app that acts as a local anonymous message board, makes it possible to find users’ precise locations and unique IDs, Motherboard reports. A researcher who analyzed Yik Yak data was able to access precise GPS coordinates of where posts and comments came from, accurate within 10 to 15 feet, and says he brought his findings to the company in April.
First launched in 2013, Yik Yak was popular on college campuses, where it was often used to gossip, post updates, and cyberbully other students. After waning relevance and failed attempts at content moderation, the app shut down in 2017, only to rise from the dead last year. In November, the company said it had passed 2 million users.
Motherboard spoke with David Teather, a computer science student based in Madison, Wisconsin, who raised the security concerns to Yik Yak and went on to publish his findings in a blog post. The app shows posts from nearby users but displays only approximate location, such as “around 1 mile away,” up to five miles, to give users a sense of where in their nearby community updates are coming from.
Though Yik Yak promises anonymity, Teather points out that combining GPS coordinates and user IDs could de-anonymize users and find out where people live since many are likely to be using it from home and the data is accurate to within 10 to 15 feet. That combination of information could be used to stalk or watch a particular person, and Teather mentions that the risk could be higher for people living in rural areas where homes are more than 10 to 15 feet apart because a GPS location could narrow a user down to one address.
As Motherboard reports, the data is accessible to researchers like Teather, who know how to use tools and write code to extract information — but the risk was real enough to prompt Teather to bring it to Yik Yak’s attention.
I discovered that @YikYakApp is exposing millions of user locations through sending precise GPS coordinates of all posts and comments (accurate within 10-15 feet) to the app, these can be harvested by malicious actors to track users locations.https://t.co/pgT809okv7
— David Teather (@david_teather) May 9, 2022
“Since user ids are persistent it’s possible to figure out a user’s daily routine of when and where they post YikYaks from, this can be used to find out the daily routine of a particular YikYak user,” Teather writes. He listed other ways the data could be abused, like finding out where someone lives, monitoring users, or breaking into someone’s home when they’re not there.
Yik Yak did not respond to a request for comment from The Verge.
According to Motherboard, the latest version of the app released by Yik Yak no longer exposes precise location and user IDs, but Teather says he can still retrieve that information using previous versions of the app.
“If YikYak did take this more seriously they would restrict these fields from being returned and break older versions and force users to upgrade to a newer version of the app,” he wrote in the blog post.
