Advertisement
Singapore markets closed
  • Straits Times Index

    3,224.01
    -27.70 (-0.85%)
     
  • S&P 500

    5,252.79
    +4.30 (+0.08%)
     
  • Dow

    39,777.47
    +17.39 (+0.04%)
     
  • Nasdaq

    16,407.45
    +7.93 (+0.05%)
     
  • Bitcoin USD

    70,841.14
    +616.23 (+0.88%)
     
  • CMC Crypto 200

    885.54
    0.00 (0.00%)
     
  • FTSE 100

    7,970.56
    +38.58 (+0.49%)
     
  • Gold

    2,227.00
    +14.30 (+0.65%)
     
  • Crude Oil

    82.50
    +1.15 (+1.41%)
     
  • 10-Yr Bond

    4.2240
    +0.0280 (+0.67%)
     
  • Nikkei

    40,168.07
    -594.66 (-1.46%)
     
  • Hang Seng

    16,541.42
    +148.58 (+0.91%)
     
  • FTSE Bursa Malaysia

    1,530.60
    -7.82 (-0.51%)
     
  • Jakarta Composite Index

    7,288.81
    -21.28 (-0.29%)
     
  • PSE Index

    6,903.53
    +5.36 (+0.08%)
     

Inside the 'bizarre' public fight anonymous app Whisper is having with a security startup

Michael Heyward
Michael Heyward

(Michael Seto/Business Insider)Whisper co-founder Michael Heyward

Just when it seemed like the controversy surrounding anonymous message posting app Whisper was calming down, the company is facing new accusations. And the app maker is fighting back tooth and nail.

A security startup, Xipiter, has published a long blog post full of scathing allegations about Whisper, including a video that it says demonstrates a security hole it says it found.

That hole allegedly allows an attacker to hijack somebody's account, see the secret messages they sent, and send fake messages.

Whisper's co-founder Michael Heyward and its CTO Chad DePue talked to Business Insider and told us it is simply not possible to do such things with its app. Heyward claims the video and other claims are "ridiculous," "bizarre" and "doctored."

ADVERTISEMENT

Whisper tells us that it doesn't store copies of the messages. If messages are stored, they are stored on users' phones, not a server or cloud somewhere that can be hacked.

Here's the video the security firm published:

Whisper's Heyward sent us what he claims was evidence of how the video is doctored, two photos showing what he says is a mistake. The allegedly captured private messages weren't sent to a phone were not an exact match. One of them was missing a sentence. "This is a secure message. how are you?"

Whisper fake video1
Whisper fake video1

(Xipiter)

Whisper fake video2
Whisper fake video2

(Xipiter)Evidence of a faked video? The sentence "this is a secure message. how are you?" is missing

That evidence was hotly refuted by Xipiter principal Stephen Ridley.

We weren't looking at a mistake, he told us, we were looking at messages that were captured in a random order by tapping into the "application programming interface" from TigerText, the service Whisper relies on to send private messages, he told us.

Ridley, we should point out, is not a security fly-by-night. He's the former CSO at Simple.com speaks at some prestigious security conferences (he just gave this Nike Tech Talk), and his firm, Xipiter, is known for a successful Kickstarter project — a product called the USB Condom.

The interaction between the two sides is really odd.

Whisper says that it reached out to the Xipiter researchers to discuss the holes and could not get reach anyone but an admin. Ridley, however, answered our email and returned our call within minutes.

Ridley says the admin promptly called Whisper back to set up a meeting which was to happen this week. But then Xipiter also went ahead and published its scathing blog post before that meeting took place.

Xipiter Stephen Ridley
Xipiter Stephen Ridley

(LinkedIn/Stephen Ridley)Xipiter principal Stephen Ridley

Ridley says all of Whisper's efforts were really to get Xipiter to join its "bug bounty" program where security researchers can get paid for reporting holes they find. Those programs often require researchers to sign non-disclosure agreements.

"We don't want their money. We make our own money," Ridley told us. He didn't want to sign an NDA because he feels Whisper "has a history of public denials" and he wanted people to understand the risks of anonymous apps and "highlight the broader privacy conversations we’ve been having," he says.

He pointed to the controversial articles published by the Guardian accusing Whisper of spying on its users. However, the Guardian later took down that story and retracted a lot of it.

A Whisper spokesperson indicated to us that Xipiter is really just looking for its 15 minutes of fame, and Ridley didn't deny it. "What we get from doing this? Eyes on us," he said.

whisper app activity
whisper app activity

(Screenshot)Whisper app

So who is telling the truth?

If the hole is for real, independent security researchers will validate it and Whisper will be caught. If it's not real, Xipiter and Ridley will be outed and their reputations ruined.

Ridley tells us he has now asked independent security people to do just that, confident they will exonerate Xipiter.

Meanwhile, Whisper isn't giving an inch. In addition to a phone call from Heyward and DePue, a spokesperson said Whisper has a point-by-point rebuttal of every accusation Xipiter has made. That rebuttal described what it called a "rare case" where a hacker could theoretically hijack a users' account, discussed how multiple users may have the same nickname and confirmed that it did invite Xipiter to join its bug bounty program.

Everyone, including us, agrees on one thing: the situation is bizarre.

NOW WATCH: 6 Crazy Things Revealed In HBO's Explosive New Scientology Documentary 'Going Clear'



More From Business Insider