QuizUp, which has been one of the top-selling iOS apps for the past week or so, is full of “shocking” security holes, claims Kyle Richter, the developer behind the popular competing (so..) trivia game Trivium in a blog post.

What I found was at first surprising; then shocking […]

They actually send you other users’ personal information via plain-text(un-hashed); right to your iPhone or iPod touch. This information includes but isn’t limited to: full names, Facebook IDs, email addresses, pictures, genders, birthdays, and even location data for where the user currently is.

I have been able to access the personal information of hundreds of people who I have never met, and had no interaction with other than we both used QuizUp. These people likewise had access to my personal information. It is important to keep in mind these were not people who added me as friends inside of the app, these were complete strangers in every sense … 

As TechCrunch notes, sending unencrypted sensitive data in a way that is vulnerable to interception is exactly what got Path intro trouble, resulting in an $800,000 settlement with the FTC.

Richter declined to go into detail about the exploit he used, but has passed full details to QuizUp developers Plain Vanilla. Plain Vanilla CEO Thor Fridriksson claims there are inaccuracies in the blog claims, though admitted in a statement to TechCrunch that there are weaknesses.

Due to a bug in our third-party network library this encryption could be weakened on some occasions. This issue has been addressed in an update waiting review at Apple. User’s passwords are hashed before we store them in our databases. The user’s Facebook access token is never stored in plain text on the client.

Our user’s address books are not stored on our servers and only used temporarily to help us find your friends. It was a mistake to not hash the contents of the address book before sending to our servers and we are currently changing the client application so it hashes the address book contents before sending to our servers.

The key issues appear to be that although SSL is used to transmit the data, both contact data and Facebook access token were transmitted in plain text and could be easily intercepted.

As of the time of writing, Plain Vanilla says that the server fix has already been made and that a revised version of the app is awaiting approval by Apple.

FTC: We use income earning auto affiliate links. More.

Check out 9to5Mac on YouTube for more Apple news:

You’re reading 9to5Mac — experts who break news about Apple and its surrounding ecosystem, day after day. Be sure to check out our homepage for all the latest news, and follow 9to5Mac on Twitter, Facebook, and LinkedIn to stay in the loop. Don’t know where to start? Check out our exclusive stories, reviews, how-tos, and subscribe to our YouTube channel

About the Author

Ben Lovejoy

Ben Lovejoy is a British technology writer and EU Editor for 9to5Mac. He’s known for his op-eds and diary pieces, exploring his experience of Apple products over time, for a more rounded review. He also writes fiction, with two technothriller novels, a couple of SF shorts and a rom-com!

Ben Lovejoy's favorite gear