Yik Yak, an anonymous social media app for iOS often used on college campuses, has been accused by a computer science student of being designed in a way that can potentially allow users to deanonymize others and even stalk them.
The app was first launched in 2013, and after shutting down four years later, reemerged in 2021. It works by letting users create threads in a message board within an 8-kilometer radius.
To achieve that, the app has access to the exact location where a post is made and a user’s unique ID. During its first time around, Yik Yak was often the target of criticism for enabling harassing and online bullying of students, and other forms of threats and violence, which led the company behind it to block it in middle and high schools.
Now, despite having what it calls community guardrails in place and saying that it works to make all users welcome and safe, the same type of criticism is emerging against YikYak again.
As alleged by Vice, the student that looked into the way it works, David Teather, did this by using mitmproxy to analyze intercepted data the app sends and receives. In addition, he came up with code pretending to be the app to “extract information from it.”
Theater’s findings are that Yik Yak sends every post’s precise GPS location to the app along with a unique ID assigned to users.
With these two information points, Teather contends in a blog post, a stalker could deanonymize a user and monitor their movements by looking at the locations of a series of posts, and then use that knowledge for nefarious purposes.
On the app itself, this type of specific and precise data that can unmask users is not visible – it only shows the distance in miles and the name of a large location, such as a city borough. And yet with readily available tools, tech-savvy people can learn so much more.
According to Teather and another researcher who had access to his investigation of the app, this means that Yik Yak, which promises users an anonymous connection with others near them, can actually put them at risk of stalking and doxing. However, it’s worth noting that there’s no evidence of this ever happening.