Insanely Popular Game QuizUp Was Caught Leaking Private Info About Its Users

Business Insider

View gallery

.
Kyle Richter

Kyle Richter/@kylerichter

Kyle Richter

People are going nuts for the new addictive iPhone  game QuizUp. It was released to the app store on Nov. 7 and already has about 2 million users, the company says.

But QuizUp may have been leaking your private information stored on your phone, sending that information to complete strangers, according to Kyle Richter , a developer of a competing trivia app called Trivium.

The company contacted Business Insider and told us it found two bugs, one of them has already been fixed. The other will be fixed when Apple releases the updated app to the app store.

QuizUp lets players compete against their friends or strangers in over 300 different categories of trivia, ranging from the super specific (Desperate Housewives or 16th and 17th Century History) to the more broad (Logos or Physics).

When you sign up, the app asks for access to your email contacts or your Facebook friends and that's where the problem came from.

In a blog post on Monday, Richter says:

"In the case of QuizUp they actually send you other users’ personal information via plain-text(un-hashed); right to your iPhone or iPod touch. This information includes but isn’t limited to: full names, Facebook IDs, email addresses, pictures, genders, birthdays, and even location data for where the user currently is. I have been able to access the personal information of hundreds of people who I have never met, and had no interaction with other than we both used QuizUp. These people likewise had access to my personal information. It is important to keep in mind these were not people who added me as friends inside of the app, these were complete strangers in every sense."

Richter says you didn't have to be a hacker or tech genius to find this information. On his blog he showed an example of the data that QuizUp sent to his phone, full of names, email addresses, even the state each person lives in. He replaced some data with asterisks (**) to protect people, he said.

View gallery

.
QuizUp data

Kyle Richter

 

He notes that Path made a similar privacy mistake and it led to an $800,000 fine by the federal government.

A QuizUp spokesperson told us that there were two security problems with the app: a bug in the app "that has been fixed and submitted in the app store." And there was also a bug on "the server side and that’s been fixed. No information was leaked" from that bug, he says.

The company also says that this is different than the Path case because QuizUp "is not storing user information on servers."



More From Business Insider

Rates

View Comments (1)