26 Nov 2013
Socially networked game app QuizUp sends users’ personal information in plain text, posing the risk of privacy invasion, according to Kyle Richter, software developer and CEO of Dragon Forged Software.
QuizUp shares its players’ data with their game opponents during the process of inviting contacts to join in, Richter writes on his blog.
“QuizUp needs to request access to your contact list,” when sending an SMS asking friends to download the app, Richter writes. “When access is granted, all of your contact’s emails are sent, once again in plain text, to QuizUp’s servers.”
“While QuizUp does use HTTPS for all of the network calls, the data that is being handed back to the device is in a readable (non-hashed) state and is very sensitive in nature,” adds the developer.
Disclosed data includes names, Facebook IDs, email addresses, pictures, gender, birthdays and location data.
Plain Vanilla responded to the statements made in Richter’s presentation in an email to TechCrunch.
“Privacy is incredibly important to us. We never send or receive any data in plain text to our servers,” said CEO Thor Fridriksson. He agreed several security flows need to be fixed, but promised QuizUp will release an update to reduce the risk of future data interception.
The allegations come after QuizUp reached more than 1 million downloads since its launch in the Apple App Store on 7 November 2013.