Popular trivia game QuizUp reportedly has numerous security and privacy issues. The app seems to be sending your information to the devices of other users, including your name, email address, and Facebook ID. This information come to us from a blog post by developer Kyle Richter:
In most circumstances, in a breach of privacy situation a company stores sensitive information in plain text on a server somewhere, someone comes along and figures out how to access that data. However in the case of QuizUp they actually send you other users’ personal information via plain-text(un-hashed); right to your iPhone or iPod touch. This information includes but isn’t limited to: full names, Facebook IDs, email addresses, pictures, genders, birthdays, and even location data for where the user currently is. I have been able to access the personal information of hundreds of people who I have never met, and had no interaction with other than we both used QuizUp. These people likewise had access to my personal information. It is important to keep in mind these were not people who added me as friends inside of the app, these were complete strangers in every sense.
Also of note is how QuizUp handles access to your contacts. The game allows you to invite your friends to the game via text message, which you need to grant QuizUp access to your contacts to allow. Once this is done, QuizUp sends your contact's emails, in plain text, to their servers, in violation of federal privacy laws. This is the same thing that got social network Path in trouble last year.
Never mind for the moment that QuizUp breaks App Store rules. How is the security of your customers and their information not a top priority? How can you treat it so casually? That any developer might be so lax about security, particularly in a time when people are increasingly worried about their online privacy, is inexcusable.
For the full rundown on this issue, read Kyle's post. The extent of what he found is truly troubling.
Do you play QuizUp? Are you surprised by this information? Sound off in the comments below.
Source: Kyle Richter
