Secret: ClientId gives away platform (iOS/Android) from which a secret was posted.

2014-07-05T12:18:32
ID H1:19210
Type hackerone
Reporter denull
Modified 2014-08-01T16:40:07

Description

In /stream API request each post contains a property named "ClientId". I suppose it's generated by client applications when user is posting a secret. It seems that iOS and Android applications generate this string quite differently: xLfLHR (six random characters) — iOS 27c9d93d-7044-40c0-87c8-2fa7d5b252b3 (GUID) — Android

Knowing that information (and models of friends' phones) can possibly help to de-anonymize authors of secrets.

Simple fix for this problem would be to use the same strategy for generating ClientIds on both platforms.