Giggle; laughable security

It’s best not to threaten the people trying to help you:

Disclosure timeline:

  • 07/09/2020: Reached out privately via Twitter DM
  • 09/09/2020: Publicly reached out via Twitter
  • 09/09/2020: Continued DM with giggle owner, Sall
  • 09/09/2020: DI_Security Twitter account blocked
  • 09/09/2020: JayHarris_Sec Twitter account blocked
  • 09/09/2020: Saskia asked Sall to reconsider ignoring us
  • 09/09/2020: ms__chief account blocked
  • 09/09/2020: Journalist contacted. Ignored by giggle
  • 10/09/2020: Giggle finally asked for more details
  • 10/09/2020: Vulnerability fixed

Note: above dates are in UK format. Day/Month/Year.

Giggle is a social network targeting only girls / women. It’s advertised as a safe space. These security researchers discovered some glaring flaws in the security of the application, which could lead to a user’s full profile being exposed to anyone (including latitude and longitude of where their account was created). The sign-up process for Giggle involves taking a photo of yourself and submitting it to Giggle so that their artificial intelligence tools can determine if you are really a woman; it is promised that this photo is kept private and not stored by Giggle after the initial verification. Turns out that’s not accurate, either.

So this app is a dumpster fire, security-wise. It’s courting an audience of potentially vulnerable women. Excellent combo.

These folks from Digital Interruption reached out, several times, trying to let the company founder know about these problems. In the security industry, this sort of thing is called “responsible disclosure.” Inform the company there’s an issue, give 30-90 days to fix it, and then report on it once the problem is fixed. This benefits both the insecure party (free advice!) and the infosec researchers (another bullet on the resume).

What you should not do, if you are the recipient of such disclosure, is to threaten legal action and throw a temper tantrum. The above reads like a wonderful comedy of errors.

Perhaps the funniest bit (to me) is this follow-up tweet thanking “Bill from Giggle” for helping solve this issue. Company founder had to be cut out in order to resolve an issue? Top brass at a digital company not understanding how technology works?

Leave a comment

Leave a Reply