Wednesday, 1 April 2020

Here’s why the Houseparty hacking rumors are probably just a smear campaign

Now is a pretty strange and desolate time, where people have been ordered to stay indoors for the foreseeable future to safeguard themselves as well as the society. Regardless of what the memes may suggest, the inherent human urge to socialize has slowly started to get to us, putting video calling services on a pedestal like never before.

While there has never been a shortage of these applications, some have been able to claim a bigger pie of our life. One of the more prominent winners was Houseparty, a face to face social network where all interactions are based around video conferencing. It’s a pretty simple premise - you sign in into the app, connect your contacts or social accounts to find your friends, and initiate group calls to them alongside small games. You can also see which friends are online and available for conversations. This simplicity in what it offers has made it win many hearts over the past few weeks, with the number of downloads growing exponentially, with over 2 million new users each week in March. 

When everything was seemingly going great for Houseparty, a sudden series of events caused many users to delete the app out of panic. On March 31, incidents of users (in the form of screenshots) started making rounds on social media, which talked about how Houseparty was a scam, causing people to lose access to their Spotify and Instagram accounts, with some even talking about fraudulent transactions being initiated. Hacks, data breaches, and monetary scams are perhaps the worst kind of allegations any platform wants to face, especially one that has just entered the limelight.

Following the basic damage control protocols, Houseparty took to Twitter to deny all allegations of any breach, stating that the app was as safe as it always has been. Moreover, it even went on to state that this might be a smear campaign (presumably by a competitor), and any person who can shed more light or prove them right will be eligible for a bounty worth a million dollars (~ Rs 7.5 cr). That is unarguably a bold statement, mainly because any evidence didn’t back it. So we decided to take the matter into our own hands and try to verify the happenings.

False allegations?

Firstly, we checked the allegations. They were merely a bunch of screenshots from a few (non-Indian) users, each having a different story but of a similar nature. Thankfully, with the advent of the internet, it wasn’t too difficult to track these “users” down. 

First up, we have Twitter user @williamzx7, who reported to have his FIFA account hacked. The screenshot did not mention any evidence of the hacking, just a cropped image of an email from EA (the developer of the game) with a security code; not enough to conclude it has a hacking. The more interesting fact is that the tweet is nowhere to be found on this profile. In fact, the last original tweet (not a retweet) was on March 4.

Next up was another Twitter user @iskagardner, who apparently had a transaction request done from her account. When we checked, her account was live and often-used. We were even able to find the exact tweet (it was cached in our browser), but it seems to have been taken down since. We tried asking her for more details, but she blocked us. 

Then, we had @megycassidy, who apparently tweeted that Houseparty is hacking into people’s Spotify, Snapchat, and banking apps. No evidence was attached. Her Twitter profile was locked, and she hasn’t accepted our follow requests in over 24 hours so that we couldn’t verify this one.

A more interesting screenshot was from a Snapchat user @merrie-96, who shared images of similar tweets lashing out at Houseparty on her Stories, along with a caption stating that she had her Instagram hacked along with a £ 900 fraud transaction on her bank account earlier this week. We were able to track her down but couldn’t spot the exact story (Snapchat Stories disappear in 24 hours so that we will give the benefit of the doubt to her). 

She was quick to ask us how we found her profile as she suddenly had a surge of follow requests. We explained the situation and disclosed our purpose of getting in touch with her. She admitted to having posted that story and told us that her Instagram was attempted to be hacked 12 times. She ignored our follow up requests for evidence and couldn’t tell us which phone she was using. She termed the situation as “strange” and “too coincidental” and concluded that Houseparty was the culprit by “putting 2 and 2 together.”

The next viral screenshot was from yet another Twitter user @harry-howell, who stated that this Spotify account was hacked. His profile is protected and is yet to accept our follow request, so this claim remains unverified. The same was true for the next person, who tweeted screenshots of other complaints, which were incidentally the same ones that we mentioned above.

Lastly, we had @clairenstewart, who shared images of suspicious login attempts into her Spotify and Microsoft accounts. However, her account did not exist when we checked on March 30, which could either mean that her profile has been taken down, or it never existed.

Thoughtfully targeted

So, at press time, we are unable to verify any of the allegations had that been doing rounds on the internet. We will update this bit if we can establish communications with any of them later. Some other smaller details that we spotted was that all screenshots were taken at the exact same time, one after the other (corroborated by the battery percentage). Not implying anything, but it could mean that the screenshots were intentionally taken one after another and didn't need much searching for. 

They also seem to have been shared only in India and only over WhatsApp, which has a history of acting as a fake news and panic mill. Considering that Indian youth form a big part of Houseparty's user base, this doesn't come as a surprise as India also happens to be WhatsApp's biggest market.

But, is Houseparty actually safe to use?

Also, there's another entire technical side to this, about how an app can never access the accounts of other non-related, unlinked apps. By design, neither Android nor iOS allows that. The only permissions Houseparty is consented to include your friend list on Facebook and Snapchat, and your contacts, all of which you need to provide during the setup phase explicitly. 

Correlation doesn't necessarily imply causation, as people can have their accounts compromised for a multitude of reasons. The only correlation was that Houseparty was apparently one of the new apps that they'd installed.

We are checking the local device permissions granted to Houseparty (which we recommend you also to check); neither revealed anything suspicious. It was granted permission to access the camera, contacts, microphone, and storage, essential to conducting a video call. It also asks for location data, but that is optional and non-essential to the core functioning of the app, so we denied that. The app’s limited feature set also makes for less possible backdoors for any mishaps. 

News18 took that a step further and had cybersecurity experts have a look at the app’s code for any vulnerabilities, but was unable to spot any. 

What if the allegations are legit?

One of the possibilities include users using the same password across multiple services, which are easier targets for hackers. Cyber-criminals are known to resort to credential stuffing attacks, were previously acquired password data is tried on other accounts of the same person. But even if that is the case, the onus of that is on the user and not on Houseparty.

Another remote possibility of why the attacks happened if we believe the claims, could be due to other malicious apps or websites recently visited by the complainants. We know for a fact that everyone’s internet usage and consumption has significantly increased in this period. It’s not too far fetched that some of them wandered too far and were thus targeted.

Houseparty as an app was launched in 2016. It clearly isn’t a new app that might have been developed with nether intentions. In fact, Epic Games, which is the developer of Fortnite and other high profile titles, acquired Houseparty last year, adding another layer of credibility to the mix. It’s a simple fact that if a giant like this actually gets proven guilty, its future is in shambles. They ideally wouldn’t take a risk so huge, even if the odds of getting caught were close to zero.

That confidence is also evident in the follow-up announcement from Houseparty, where it will be offering a bounty to anyone who can provide proof that this entire incident is a smear campaign. Houseparty seems confident that it is one, and continues to maintain its stance: “All Houseparty accounts are safe - the service is secure, has never been compromised, and doesn’t collect passwords for other sites.”

In the meanwhile, we are also in touch with the Houseparty team to get further clarifications and assurances from their side. While we wouldn’t go as far as terming them innocent just yet, most of the evidence does seem to point at that. Our independent efforts, too, couldn’t find any users in our circles who had any of their accounts compromised. In case you know someone who did, please reach out to us.

Until then, we don't see a reason to stay away from Houseparty. Just ensure you follow the general best practices to be safe on the internet.

https://ift.tt/2WUvYmu

No comments:

Post a Comment