Sarahah allows users to leave anonymous messages on other users' profiles.
Now a day Sarahah is trending application on iSO & Android for social media.Sarahah is an anonymous messaging app in which allows users to leave anonymous messages on other users’ profiles. Once a user registers for an account, they can share their profile link with friends (or post it publicly), and anyone with this link can share messages to their profile. The app doesn’t allow users to reply to messages, nor can they see who a message is from, unless the sender includes their name in the message. Users also have the option to only receive messages from other registered users.Sarahah was released on iOS and Android in June, and, as Android Authority reports, it blew up in popularity, in part, due to the ability for users to share their profile links in Snapchat snaps. Sarahah is currently the No. 1 free iPhone app on iTunes.
Vulnerability In Sarahah:
This vulnerability is mentioned by Defencely .comand they mentioned that this vulnerability is caused due to the insecure reflection of the message when new messages are loaded. They mentioned that the messages are not properly filtered out from the database.Recently Shawar Khan embedded a video in his website about XSS vulnerability in Sarahah.video is given blow.
The exploitation script can capture messages, change emails and delete accounts. Shawar Khan posted XSS exploit code on his GitHub account. Some users mentioned that now this vulnerability is removed but some are saying that code is still applicable. The whole video is present on Shawar Khan’s site. So, You can check it there.
This XSS vulnerability affects only browser user. If you are using it from the mobile app then you are safe. Before this, many ones were saying that this app is selling user data to advertisement company. This app has millions of download in just a few days.