At Blind, a security lapse revealed private complaints from Silicon Valley employees

Thousands of people trusted Blind, an app-based “anonymous social network,” as a safe way to reveal malfeasance, wrongdoing and improper conduct at their companies.

But Blind left one of its database servers exposed without a password, making it possible for anyone who knew where to look to access each user’s account information and identify would-be whistleblowers.

The South Korea-founded company made its way into the U.S. in 2015, when it quickly became a highly popular anonymous social network for major tech companies, touting employees from Apple, Facebook, Google, Microsoft, Twitter, Uber, and more. Blind last month secured another $10 million in new funding after a $6 million raise in 2017. But it was only when the social network became the root of several high profile scandals when Blind gained mainstream attention, including revealing allegations of sexual harassment at Uber — which later blocked the app on its corporate network.

The exposed server was found by a security researcher, who goes by the name Mossab H, who informed the company of the security lapse. The security researcher found one of the company’s Kibana dashboard for its backend ElasticSearch database, which contained several tables, including private messaging data and web-based content, for both of its U.S. and Korean sites. Blind said that the exposure only affects users who signed up or logged in between November 1 and December 19, and that the exposure relates to “a single server, one among many servers on our platform,” according to Blind executive Kyum Kim in an email.

Blind only pulled the database after TechCrunch followed up by email a week later. The company began emailing its users on Thursday after we asked for comment.

“While developing an internal tool to improve our service for our users, we became aware of an error that exposed user data,” the email to affected users said.

Kim said that there is “no evidence” that the database was misappropriated or misused, but did not say how it came to that conclusion. When asked, the company would not say if it will notify U.S. state regulators of the breach.

Blind’s chief executive Sunguk Moon, who was copied on many of the emails with TechCrunch, did not comment or acknowledge the exposure.

At its core, the app and anonymous social network allows users to sign up using their corporate email address, which is said to be linked only to Blind’s member ID. Email addresses are “only used for verification” to allow users to talk to other anonymous people in their company, and the company claims that email addresses aren’t stored on its servers.

But after reviewing a portion of the exposed data, some of the company’s claims do not stand up.

We found that the database provided a real-time stream of user logins, user posts, comments and other interactions, allowing anyone to read private comments and posts. The database also revealed the unencrypted private messages between members but not their associated email addresses. (Given the highly sensitivity of the data and the privacy of the affected users, we’re not …read more

0 replies

Leave a Reply

Want to join the discussion?
Feel free to contribute!

Leave a Reply