QuizUp, the social trivia app was released on the iOS platform earlier this month. Within such a small span the app has gained immense popularity with more than two million downloads in the first two weeks. Unfortunately, the site has come under fire for revealing user details to others on the board.
The leaked information includes the names, email ids, phone number, present location, pictures and all other secured information saved on the company database.
To start playing on the app, users need to key in their necessary contact details and the app seeks permission to access details of other contacts on the users' friends list on Facebook or other social accounts. According to the charges, brought in by Kyle Richter, who designed quite a similar app called Trivium, the weakly encrypted database of QuizUP is susceptible to ghost players and also can be easily accessed for user details in the form of plain texts of other members on the app.
"In the case of QuizUp they actually send you other users' personal information via plain-text (un-hashed); right to your iPhone or iPod touch. This information includes but isn't limited to: full names, Facebook IDs, email addresses, pictures, genders, birthdays, and even location data for where the user currently is," wrote Richter on a blog post, reports businessinsider. "I have been able to access the personal information of hundreds of people who I have never met, and had no interaction with other than we both used QuizUp."
Once the user details are keyed in on the app, the information is sent to the QuizUp server but the details are simultaneously transferred to other players on the app, according to Ritcher.
QuizUp has refuted most of the allegations against the company. However, the company accepted later that the app was affected by a bug in a third party server that might have led to the misuse of the account information. The company has already submitted an update to Apple to resolve the glitches.
QuizUp also admitted that not hash tagging user details while they were transferred to the company server was a mistake ; the issues will be taken care of in coming days. The Ghost players were introduced by the company itself to improve user experience.
"Our user's address books are not stored on our servers and only used temporarily to help us find your friends," said Plain Vanilla, the app developer company , reports techcrunch. "It was a mistake to not hash the contents of the address book before sending to our servers and we are currently changing the client application so it hashes the address book contents before sending to our servers."
The third party server bug has already been fixed and the updated app will be made available soon, confirmed the company CEO.