Fizz compromised users’ privacy. It can do it again.

Fizz compromised users’ privacy.  It can do it again.

It seems like the perfect basic story: 19-year-old Stanford dropout getting his big break someone they met at a frat party. The Social Network 2.0 is playing out before our eyes. But these are entrepreneurs who have access to an inordinate amount of highly sensitive information about their peers and young people across the country through their app Fizz, which promises anonymity to its meme-creating users.

In light of Fizz’s recent $4.5 million funding round, students at Stanford — and at every one of the more than 1,000 campuses on which Fizz intends to launch — should know that Fizz was hacked last year by three Stanford students.

Fizz did not protect users’ data. What happened next?

Aditya Saligrama ’24, Miles McCain ’24 and Cooper de Nicola ’22 MS ’23 told me in an email that they investigated Fizz’s security on the evening of November 5, 2021, after they were “initially concerned about Fizz’s strong public claims of total anonymity.” I had contacted one of the students in the early fall after a mutual friend told me that Fizz had apparently been hacked last year.

Saligrama, McCain and de Nicola all have professional experience in cyber security and have previously conducted dozens of security vulnerability disclosures. They had no previous relationship with Fizz or its founders, Teddy Solomon and Ashton Cofer. When they saw the number of highly sensitive and personal posts made by fellow students on the app, they realized that “if a security vulnerability could lead to the de-anonymization of posts, this information could be extremely harmful to Stanford students.”

Hoping to ensure the safety of Fizz users and “intending to inform the founders of any potential vulnerabilities,” the team began digging. Here’s what they told me they found, as they wrote in their October 2022 email (emphasis added):

“At the time, Fizz used Google’s Firestore database product to store data including user information and posts. Firestore can be configured to use a set of security rules to prevent users from accessing data they should not have access to. But, Fizz did not have the necessary security policies in place, allowing anyone to directly query the database and gain access to a significant amount of sensitive user data.

See also  Gmail hacked? How to recover a Gmail account

We found that phone numbers and/or email addresses for all users were fully accessibleand that posts and upvotes were directly linked to this identifiable information. It was possible to identify the author of any post on the platform.

Also, the database was fully editable – it was possible for anyone to edit posts, karma values, moderator status, and so on. Having moderator status provided access to a dashboard that provided the ability to delete arbitrary posts.”

The team said it “notified Fizz of the security vulnerabilities on November 8, 2021,” after best practice in the industry. They said Fizz first thanked them for sharing their findings and told them on November 22, 2021 that they “considered the issues resolved.”

That same day, November 22, Saligrama, McCain and de Nicola received a legal threat from Fizz’s lawyers.

“Fizz’s lawyer threatened us with criminal, civil and disciplinary charges unless we agreed to remain silent about the vulnerabilities. If we agreed to their demands within five days, they said they would not pursue “charges,” the team told me.

The Daily obtained a copy of the letter sent by Fizz’s lawyers, which included the following threats (Fizz was called Buzz at the time of this letter):

“[the security researchers] may be liable for fines, damages and each of them [security research] The group could be imprisoned… Criminal penalties under the CFAA could be up to 20 years depending on the circumstances.”

“The group’s actions are also a violation of Buzz’s terms of service and constitute a breach of contract, which entitles Buzz to compensatory damages and compensation for lost income.”

“The Group’s agreement to infiltrate Buzz’s network is also a separate crime of conspiracy, which exposes the Group to even more significant criminal liability.”

Far from their apparent welcome to constructive concerns in the nascent phase of their app, Fizz’s founders chose instead to prioritize preserving their image—even if it meant breaking industry norms and threatening their classmates with decades in prison. Their actions can discourage future white-hat hackers from revealing important security information about the app. For reference, Google has a vulnerability reward program that awards security researchers several million dollars per year “to honor all the groundbreaking external contributions that help us keep our users safe.”

See also  Danny Burgess is resubmitting his bill to require public school social media training

The trio did not back down. “The Electronic Frontier Foundation (EFF) generously agreed to represent us pro bono, and we didn’t agree to Fizz’s demands. Threatening your classmates with felony charges in an attempt to cover up your mistakes is not a good look, Saligrama, McCain and de Nicola told The Daily.

Solomon and Cofer did not respond to multiple requests for comment about this incident and Fizz’s safety.

Buzz had serious problems. What does this mean for Fizz?

Fizz today, with far more money, experience and staff, stores user data more securely than a year ago. I have the same praise and concerns about the app itself that I had last year when I wrote my first article about startups. There will surely always be a place for anonymous apps on college campuses, as we’ve seen time and time again.

But some may have less faith that the company’s responses to scrutiny — driven by the same individuals — can change so easily. Who do you trust to handle your data and most personal confessions securely? Who do you trust to shape your perception of the “true” nature of our campuses and communities?

This vulnerability disclosure is just one incident in Fizz’s history, but it provides a deep window into the company’s operations. To name just four main areas of concern:

  1. Fizz had such a large, easily visible data vulnerability in the first place, compromising users’ privacy.
  2. Fizz did not really welcome the disclosure of the vulnerability in good faith, but instead sent a legal threat to the team of student researchers.
  3. Fizz did not disclose the data breach to its users as fully and transparently as they could or should have done.
  4. Our data was non-anonymized in Fizz’s database.

Until all of these issues are satisfactorily resolved, our confidence in Fizz may not be fully restored.

Although Fizz released a statement titled “Security Improvements Regarding Fizz” on December 7, 2021, the page is no longer navigable from Fizz’s website or Google search at the time of this article’s publication. Talking to other Fizz users on campus, I found that very few had heard of last year’s incident. Fizz should have kept the statement up and made an official post on the app about the vulnerability when it happened. Surely all users want to be clearly informed when our trust in an app is violated. We want to know that the content and upvotes we see cannot be manipulated in any way by moderators and developers.

See also  BoomerTECH Adventures: Spring clean your tech devices

Furthermore, we still do not know whether our data is internally anonymised. The founders told The Daily last year that users are identifiable to developers. Fizz’s privacy policy implies that this is still the case, for example that they may share “certain information” if “we believe your actions violate our user agreements or policies, or to protect the rights, property, and safety of Fizz or others.”

While the privacy policy doesn’t specify what this user information might be, it also says that Fizz has “collected personal information in the following categories,” which may include: “identifiers such as real name, alias, … Internet Protocol address, email address, username”; “financial or health information”; “browsing history, search history and information about a consumer’s interaction with a website on the Internet [or] application.” Of course it would be disastrous if someone with malicious intent were to gain access to this information.

I sincerely hope that Fizz’s founders will not react so aggressively in response to future disclosures and investigations of vulnerabilities in good faith. Fizz can only improve sustainably if leaders listen and remain accountable to these many college communities. Anything less could pose a huge risk to Fizz users and the future of the app.

You may also like...

Leave a Reply

Your email address will not be published. Required fields are marked *