Whisper, an app for anonymously posting messages and privately messaging other users, has accused security company Xipiter of faking a video showing what appear to be serious security flaws in their application. Whisper claims to not keep any record of user’s conversations, and that they are entirely private, but the video from Xipiter appears to show otherwise. The video released by Xipiter shows a private conversation taking place between two users of the app, and then a script being run that retrieves the messages in the conversation.
Whisper has claimed that the video was faked and that there are no issues with their security. Xipiter claims, however, that a patch was released for the issues 48 hours after the video was received by Whisper. Xipiter has released a timeline of their interaction with Whisper regarding the vulnerabilities. While it is not uncommon to see companies attempt to downplay the severity of vulnerabilities, outright denial is fairly rare.
While technical details of the vulnerability that allowed the reading of private messages have not been released, Stephen Ridley, principal researcher at Xipiter, appeared to suggest in an interview on the Risky Business podcast that it works by a user adding themselves to a private message thread, and then retrieving all unread messages.