QuizUp security flaw sends your personal data to other players

BY Kelly Hodgkins

Published 25 Nov 2013


You may want to hold off on playing popular trivia game QuizUp, as the game may be sending your personal information to other players. This security and privacy flaw was detected by developer Kyle Richter and described in a recent blog post.

According to Richter, the QuizUp game sends your personal information to other players via a plain text file. Information in this file includes your full name, Facebook ID, email addresses and more. Richter didn’t divulge the steps he used to uncover this file, but he did confirm that “it took less than 15 minutes and can be done by even a novice tech-savvy computer user.” This is a very unsettling proposition, especially when you consider that this personal information is being to sent to other players who are complete strangers.

Richter writes:

In most circumstances, in a breach of privacy situation a company stores sensitive information in plain text on a server somewhere, someone comes along and figures out how to access that data. However in the case of QuizUp they actually send you other users’ personal information via plain-text(un-hashed); right to your iPhone or iPod touch. This information includes but isn’t limited to: full names, Facebook IDs, email addresses, pictures, genders, birthdays, and even location data for where the user currently is. I have been able to access the personal information of hundreds of people who I have never met, and had no interaction with other than we both used QuizUp. These people likewise had access to my personal information. It is important to keep in mind these were not people who added me as friends inside of the app, these were complete strangers in every sense.

Beyond the sharing of personal information among players, there’s a secondary issue with how QuizUp handles your contacts. QuizUp allegedly accesses your contacts and uploads your address book to their servers in plain text. This violates federal privacy laws and is the same behavior that resulted in an $800,000 fine for social network Path. Thus far, QuizUp has not responded to the allegations by Richter.

[Via iMore]