The Whisper Secret-Sharing App Exposed Locations

This is a big deal:

Whisper, the secret-sharing app that called itself the “safest place on the Internet,” left years of users’ most intimate confessions exposed on the Web tied to their age, location and other details, raising alarm among cybersecurity researchers that users could have been unmasked or blackmailed.


The records were viewable on a non-password-protected database open to the public Web. A Post reporter was able to freely browse and search through the records, many of which involved children: A search of users who had listed their age as 15 returned 1.3 million results.


The exposed records did not include real names but did include a user’s stated age, ethnicity, gender, hometown, nickname and any membership in groups, many of which are devoted to sexual confessions and discussion of sexual orientation and desires.

The data also included the location coordinates of the users’ last submitted post, many of which pointed back to specific schools, workplaces and residential neighborhoods.

Or homes. I hope people didn’t confess things from their bedrooms.

Posted on March 12, 2020 at 6:30 AM23 Comments


Winter March 12, 2020 7:06 AM

I am wondering, did Whisper clear the Mud Puddle Test?

And in the age of Signal and, why would anyone use cleartext storage for senstitive content?

Faustus March 12, 2020 10:25 AM

There seems to be an extreme divergence of mentality in our society. Most people now feel incomplete if they are not sharing the intimacies of their lives with as many people as will listen. As someone who strongly connects privacy and confidentiality with identity, and honor, and freedom, and self-respect, these people seem a different species that I more and more wonder if I am even interested in.

And they will answer: “Oh yeah? Well we aren’t interested in you, either!” But this is exactly what I want, to share my life with a few physical people that I care about and to be ignored by the locusts that consume the chaff and loose skin cells of others’ emptiness.

TimH March 12, 2020 10:33 AM

There are so many scandals about dating and hookup agency data dumps that it beats me why anyone with any feeling for privacy uses them. Maybe it’s a simple as the people looking for repeated encounters don’t care, while those looking for a monogamous partner simply don’t use these services anymore.

Sed Contra March 12, 2020 11:45 AM

These and all so-called “social media” (a term of deceiving ideology if ever there was one) claim and appear to virtualize the person to person encounter, but actually vaporize it, providing a sentimental (ie imaginational but unlived) substitute.

Go in the life you actually live and meet real people. Feel the fear and do it anyway! (And leave your phone/tablet/computer thingy at home.)

Peter A. March 12, 2020 12:16 PM

@Faustus: not really.

There were always such people. They confessed to complete strangers on the train or bus, spread rumors to everyone they met, and so on. In the past it was just difficult for them to reach too many other people – and few were blatant enough to not shy off when others were not listening or only pretending to listen.

Computers made such people able to reach millions – and made an appearance of an ever-listening crowd. Computers are programmed to be patient. They do not go away, do not roll their eyes, do not make bored expressions on their faces, do not dive into a book or newspaper ignoring you – they happily take all input. Therefore fewer people get shy when confessing to them.

mEntropy March 12, 2020 12:20 PM

To sum it up, signal, whisper, whatsapp, none of them offer any confidentiality or privacy in the true meaning of the words. Somebody controls and taps the data and we get to learn of it years after the fact, by design.

Obviously intentional, wear down potential users craving privacy and confidentiality on an open network until it sinks in that resistance is futile.

Bad encryption becomes just another vector to infect and identify you with, sold as incompetence for plausible denyability. The endresult is happy TLAs and cybercriminals all over the world taking away troves of data no crime or epidemic is ever prevented with, but gold to those blackmailing for political leverage or money.

Honestly, that’s horrible and I resent the mechanics of modern software design and marketing resulting in this mess.

salad fingers March 12, 2020 1:01 PM

What are some alternatives to Signal and Whisper? For Android and iOS?

Xabber with OTR perhaps?

Could someone please offer some suggestions?

Perhaps a website with crypto chat?

Winter March 12, 2020 1:19 PM

“To sum it up, signal, whisper, whatsapp, none of them offer any confidentiality”

Who claims Signal and WhatsApp can read your messages?

Have yet to hear about an issue with Signal.

Grima S March 12, 2020 1:28 PM

“the safest place on the internet”… Isn’t that a bit like lions marketing to goats as hosting the safest den in Tanzania?

@Faustus re: “..and to be ignored by the locusts that consume the chaff and loose skin cells of others’ emptiness.” – very nicely put.

Asa March 12, 2020 1:56 PM


I also am interested as @Winter is, what is an example of recovering signal’s text? I’m aware if someone owns owns the hardware or has physical access they can get it but my understanding was the encryption was done correctly with Signal and is not generally available to anyone.

I know the macrodata of who you talk to on Signal is not hidden but the documentation is very clear about that.

Clive Robinson March 12, 2020 3:16 PM

@ salad fingers,

What are some alternatives to Signal and Whisper? For Android and iOS?

I have said and will continue to say none of the existing messaging apps are secure in use.

Whilst it might sound like a bold contrarian statement, it isn’t, it’s a statment of practical reality.

An application is entirely usless on it’s own, it needs to run on an operating system which in turn provides connectivity to most of the hardware on your device.

With all the apps as they currently are pass ciphertext through through the OS user area, to the kernal area and then on to the device driver for the “communications” hardware. Also the app passes plaintext through the same OS user area, kernal area and a different set of device drivers for the “human interface” hardware.

Neither you nor the application have any control over the OS and device drivers on most devices. Thus it’s easily possible for those that do to “tee off the plaintext device driver” and send a copy of the plaintext to the “communications device driver” thus entirely bypassing any security the app might have.

This is not a matter of conjecture it’s been done in the past, look up “Carrier IQ” this was put on many US phones by US mobile carriers as a “tech support” aid. However it sent all the plaintext of SMS etc over the Internet in “plaintext” to Carrier IQ’s servers. Thus any SigInt agency, LEA or other “Guard Labour” organisation or criminal need only get access to the router one step upstream of Carrier IQ to harvest the plain text of nearly every US mobile phone user…

Thus puting any trust in any of these security applications that have the Human Interface and communications end point on the same device by definition can not be secure at any time.

Just remember not to give way to those that say “there’s never been a security fault with XXX” where XXX is an application, the simple facts are,

1, Not knowing of any fault is not proof of no faults.

2, You are using a system of many parts even in the remote and unlikely event the application is secure that says nothing about the OS or Hardware.

When you understand this you can move forward from “the ignorance is bliss”, “fools paradise” towards taking sensible mitigation steps.

But then I’ve said this several times before, but I don’t see people doing it… thus I can only conclude they have absolutly no interest in their actuall privacy or those they owe a duty of care towards. All they apparently want to be is “trendy” and be part of the “in crowd” or “fan-boi” overly impressed by style, caring not for substance, and like as not being in that set where M over S is greater than one, where M is money and S is sense…

At the end of the day, “You pay your money and you make your choice, and live or die by the result”. Me I know the systems can not be secure so I prefer to spend my money on real privacy. That is I don’t bother with “secure messenger apps” because I know that in a real system there are rather more things to be dealt with before privacy can be achived. Thus I spend my effort/resources on mitigate all the parts in one go…

Clive Robinson March 12, 2020 3:56 PM

@ Bruce, ALL

This is a big deal:

No not realy, it was uterly predictable from the way that system and many other systems worked or still work. We used to say “This is a big deal” about businesses loosing customer details like credit card details, now we just shrug our shoulders and say “What do you expect?” no matter how many hundreds of millions of records get effected.

I just wish people would actually wake up and realise that the Internet is not “ephemeral” nor is any other method of common communications (be it electronic or physical) in use today. Every one old enough to have lived through or read up on the Iran-Contra debacle back in the 1980’s should know that by heart, or more recently the CarrierIQ debacle, or the last “dating site” that disclosed information…

Three things can be said of nearly every communications system in common use are,

1, Data is not often protected.
2, Meta-data is very rarely protected if ever.
3, Stored data gets duplicated.

Whilst you can fix the first problem by “off device/system” encryption the second one is harder but not impossible to fix.

But few if any application designers want to fix any of the problems and in the case of the first and third problems they can not fix either at all in just an app, because “off device/system” is effectively outside their control in most cases.

If people want privacy of their data, then they need to put the security end point beyond the communications end point. That is use an entirely seperate encryption system.

Likewise if people want meta-data privacy they need to use systems that suprise suprise have not yet been developed, even though we have a fairly good idea of how to build them.

As for the storage of “data in transit” unless you own the entire system, you can not stop intransit data being stored. Thus your only protection is to be compleatly anonymous, which can be done with some forms of encryption and network layering.

We might not like this but they are the harsh realities of life.

And people wonder why “I don’t do social media”…

Alan Kaminsky March 12, 2020 4:28 PM


If people want privacy of their data, then they need to put the security end point beyond the communications end point. That is use an entirely seperate encryption system.

Absolutely right. This is one of the reasons I invented the Enigma2000 encryption algorithm and an offline “encryption appliance” based on the Raspberry Pi computer to run it on.

“Enigma 2000: An Authenticated Encryption Algorithm For Human-to-Human Communication”

lurker March 12, 2020 5:05 PM

@Faustus: your comment discloses the colour of your coat, and since I’m also wearing the same I can deduce more about you…

@All: what was leaked here was the “phone book”, which in my reckoning is as bad as the contents of calls. To display my ignorance of how these things should work, I don’t understand why these systems cannot work without a directory, like BitTorrent does. I expect I will be told that the complexity of setup would keep the users away, like PGP.

I have been invited more than once to use Skype to interview with our local public radio. I’m getting too old, I remember the shenanigans around the early days of Skype. But I offend them (PR) more I think by suggesting that Skype’s Quality of Service is unprofessional.

Sed Contra March 12, 2020 7:41 PM

Social media are a phony realism just like the early last century cheesy 2 1/2 D pseudo 3D stereo viewer. Perhaps this modern fad too will became tedious, passé and laughable.

Alejandro March 12, 2020 9:09 PM

I always thought Whisper was a black bag government op.

Especially, since it was registered on Seychelles, which is basically a government spy op on an island in the middle of the ocean…with direct access to the Atlantic optical internet cable. Also, they seemed to be interested in government secrets more than anything else. Very weird creepy operation regardless.

That their data was made public is absolutely no surprise whatsoever. I would speculate they had no interest in personal secrets at all.

However, I wonder what they chose to keep secret, to themselves, and why?

mEntropy March 13, 2020 5:16 AM

@Larry, Winter, Asa
Clive explained it.

Your smartphone isn’t safe. Neither OS nor hardware. The lines it all travels through aren’t.

Store and collect means that any encryption fails over time. Metadata allows TLAs to prioritize and choose.
Who tells you TLAs keep their data stores safe from unauthorized external access?

Signal has had data leaks and anti-confidentiality features to advertize itself. Trusting its encryption hasn’t already been compromised via built-in OS-level sidechannels or any ingenious means or undisclosed inherent flaws or all of the above when it’s a juicy target is a tad too optimistic.

Nowadays android keyboards, apple probably, too, send all input to third party-servers.

It’s an OS agnostic issue not limited to android, apple, ms or any linux et al you haven’t audited every line of code of, for every update. Nobody today can exhaustively verify a codebase to be safe to begin with due to complexity issues and then it’s stil a matter of economic interests.
You get paid more to use and sell vulnerabilities than to fix them. Most who do know keep them secret for years for any number of reasons, be it planned obsolescence and whatnot.

You may note that almost all major vulnerabilities these days take years to be publicized, some are decades old dinosaurs reintroduced with recent “updates”, too many can’t even be fixed.

Its an exhausting topic.

As a sidenote:
Google’s allo stores all your messages with flimsy justifications.

All you can do is limit the fallout of any data leaks hitting you in the years to come by forgoing convenience.

Sancho_P March 13, 2020 8:59 AM

@Alan Kaminsky

Extremely interesting, thank you!

2 reservations (in case I understood correctly):

  • HW + SW (+OS) are way too complex for a simple cryptor.
    The genius is the simple (?) encryption scheme that would likely fit an Arduino Uno. The GUI is perfect, kudos!

  • I get a very awkward feeling every time I see a machine telling me “OK, successfully decrypted, hurray, you got the right key”!
    This confirmation is exactly what a brute force attack is waiting for.
    Only a human should be able to decide, best after some vetting.

Yet Another Sockless Puppet March 13, 2020 9:33 AM

@Clive @ALL

And people wonder why “I don’t do social media”…

Let us not fool ourselves. This comment section IS a social medium, and to comment here is to self-select. It is certainly a small enough and “interesting” enough society to be treated as a needlestack.

Anyone posting regularly (anywhere) leaves a trail of breadcrumbs. It takes way more effort to leave false breadcrumbs than true ones. And it is also less satisfying to do so for anyone who is actually participating for social reasons.

So, to make my point, Clive: Did your daughter give out water at a recent Madrid marathon? Were you bracketed on all sides but the S East by early covid-19 cases? Have you been hospitalized for [redacted]? Were you born in November? Did you and Nick P ever exchange emails?

I do not know, and it is not important for me to know. Only Clive knows if there is a true crumb or two in there. And I would expect there might be some false crumbs in there too. (I added some noise to the channel myself just in case Clive didn’t:) And the reference that goes back furthest is a crumb more likely to lead to me than to him:))

My point is not to pick on you specifically, Clive (apologies). You of course get it (“the internet is not ephemeral”). That is more or less the point I am making about social media OSInt crumb trails.

My other point was about self-selection and the security value of haystacks.

Yes, our friends and neighbors and families drop many more breadcumbs than we do on the likes of facebook,etc. But they mostly drop them in haystacks. We have self-selected to drop ours in a needlestack.

Of course, with routine AI-powered scoring of various sorts the whole online world is increasingly needlestack.

So why am I here? For the intelligence, not the Intelligence. My main point is to interact socially. But I mostly just lurk.

Clive Robinson March 13, 2020 9:51 AM

@ Prof Alan Kaminski,

“Enigma 2000: An Authenticated Encryption Algorithm For Human-to-Human Communication”

I’ve only had time to skim through your paper, so far, hopefully this evening I will get the chance to do so[1].

One thing I did notice is that you did not have a “null” charecter at 0x00 in your character set.

I generaly include one as it makes changing from one sized alphabet down to another sized alphabet much easier.

The prime example being Benjamin “Pat” Bayly[2] with his design of the Rockex One Time Tape super encryptor where the ITU teltype code II was taken from 32 chararecters down to 26 character [A…Z] required for standard “five letter words” required for international cable circuits.

If you go down to the “Block Diagram” section of,

The how and the why of “nulls” at 0x00 in transmission codes becomes clear (and answers a question many students have asked me over the years but I was not alowed to tell them, even though “It’s bl33ding Obvious” when you know 😉

[1] It depends on if I can finish my ordanary weekly shop, the shelves have been striped more thoroughly than winter does to an oak tree… The reason is probably due to WHO anouncment and UK Prime minister finally doing what he should have done two to three weeks ago… However it might have something to do with their now being atleast six Confirmed COVID-19 cases within a mile or so of where I live (one apparently just four doors away if the neighbours are to be believed). However the panic buying is putting Black Friday to shame =:(


Sed Contra March 13, 2020 12:14 PM

I think generally the commenting on this blog is not social media in the meaning of the act.

However, considering rereading McLuhan Understanding Media.

Clive Robinson March 13, 2020 5:30 PM

@ Yet Another Sockless Puppet,

2 yes’s and three no’s…

Five questions, the same number I’ve mentioned before as the number of “Clive Robinson’s” you will find on the Internet in the UK, that are not me.

But atleast three of the answers I’ve mentioned on this blog but You’ve missed a couple one of which goes back to the time of the “alledged” Russian use of nerve agent in the UK. Another was when I gave part of a patent number…

At one time quite a few people on this blog were trying to “find me” they never said why, it almost turned into a game at one point. But back then I was living at one of three alternative addresses in another parts of London designing some interesting things, that required me to move around a bit.

But yes I had noticed there is a curious beast in amongst there on a long leash that leads back in time…

Leave a comment


Allowed HTML <a href="URL"> • <em> <cite> <i> • <strong> <b> • <sub> <sup> • <ul> <ol> <li> • <blockquote> <pre> Markdown Extra syntax via

Sidebar photo of Bruce Schneier by Joe MacInnis.