It seems to be the perfect founding story: 19-year-old Stanford dropouts who get their big break through someone they met at a frat party. The Social Network 2.0 playing out before our very eyes. But these are entrepreneurs who have access to an inordinate amount of highly sensitive information about their peers and young people all over the country through their app Fizz, which promises anonymity to its meme-making, confession-posting users.
In light of Fizz’s recent $4.5 million funding round, students at Stanford — and at every single one of the more than 1,000 campuses that Fizz intends to launch at — should know that Fizz was hacked last year by three Stanford students.
Fizz did not protect their users’ data. What happened next?
Aditya Saligrama ’24, Miles McCain ’24 and Cooper de Nicola ’22 M.S. ’23 told me in an email that they investigated Fizz’s security on the evening of Nov. 5, 2021, after they were “initially concerned by Fizz’s strong public claims of total anonymity.” I had reached out to one of the students in early fall quarter after a mutual friend told me that Fizz had apparently been hacked last year.
Saligrama, McCain and de Nicola all have professional experience in cybersecurity and have previously performed dozens of security vulnerability disclosures. They had no prior relationship with Fizz or its founders, Teddy Solomon and Ashton Cofer. Seeing the number of highly sensitive and personal posts made by fellow students on the app, they realized that “if a security vulnerability could result in the deanonymization of posts, that information could be extremely harmful to Stanford students.”
Hoping to ensure Fizz users’ safety and “intending to inform their founders about any potential vulnerabilities,” the team began to dig. Here is what they told me they found, as they wrote in their October 2022 email (emphasis added):
“At the time, Fizz used Google’s Firestore database product to store data including user information and posts. Firestore can be configured to use a set of security rules in order to prevent users from accessing data they should not have access to. However, Fizz did not have the necessary security rules set up, making it possible for anyone to query the database directly and access a significant amount of sensitive user data.
We found that phone numbers and/or email addresses for all users were fully accessible, and that posts and upvotes were directly linkable to this identifiable information. It was possible to identify the author of any post on the platform.
Moreover, the database was entirely editable — it was possible for anyone to edit posts, karma values, moderator status, and so on. Having moderator status granted access to a dashboard that provided the ability to delete arbitrary posts.”
The team said they “notified Fizz about the security vulnerabilities on November 8, 2021,” following industry best practices. They said that Fizz initially thanked them for sharing their findings and told them on Nov. 22, 2021 that they “considered the issues fixed.”
On the very same day, Nov. 22, Saligrama, McCain and de Nicola received a legal threat from Fizz’s lawyers.
“Fizz’s lawyer threatened us with criminal, civil, and disciplinary charges unless we agreed to keep quiet about the vulnerabilities. If we agreed to their demands within five days, they said they would not pursue ‘charges,’” the team told me.
The Daily obtained a copy of the letter sent by Fizz’s lawyers, which included the following threats (Fizz was called Buzz at the time of this letter):
“[the security researchers] may be liable for fines, damages and each individual of the [security research] Group may be imprisoned… Criminal penalties under the CFAA can be up to 20 years depending on circumstances.”
“the Group’s agreement to infiltrate Buzz’s network is also a separate offense of conspiracy, exposing the Group to even more significant criminal liability.”
Far from their apparent welcoming of constructive concerns in the nascent stage of their app, Fizz’s founders chose instead to prioritize the preservation of their image — even if that meant violating industry norms and threatening their classmates with decades of jail time. Their actions may discourage future white-hat hackers from disclosing crucial security information about the app. For reference, Google has a Vulnerability Reward Program that awards security researchers several millions of dollars per year “to honor all the cutting-edge external contributions that help us keep our users safe.”
The trio did not back down. “The Electronic Frontier Foundation (EFF) generously agreed to represent us pro bono, and we did not agree to Fizz’s demands. Threatening your classmates with felony charges in an attempt to cover up your mistakes isn’t a good look,” Saligrama, McCain and de Nicola told The Daily.
Solomon and Cofer did not respond to multiple requests for comment on this incident and Fizz’s security.
Buzz had serious problems. What does this mean for Fizz?
Fizz today, with far more money, experience and employees, stores user data more securely than they did a year ago. I have the same praise and concerns about the app itself as I had last year when I wrote my first article on the startup. There will surely always be a place for anonymous apps on college campuses, as we’ve seen time and time again.
However, anyone might have less faith that the company’s reactions to scrutiny – driven by the same individuals – can change so easily. Who do you trust to securely handle your data and most personal confessions? Who do you trust to shape your perception of the “true” nature of our campuses and communities?
This vulnerability disclosure is just one incident in Fizz’s history, but it provides a deep window into the company’s operations. To name just four major areas of concern:
- Fizz had such a large, easily discoverable, data vulnerability in the first place, compromising users’ privacy.
- Fizz did not truly welcome the good-faith vulnerability disclosure, instead sending a legal threat to the team of student researchers.
- Fizz did not disclose the data breach to their users as fully and transparently as they could or should have done.
- Our data was non-anonymized in Fizz’s database.
Until all of these issues have been satisfactorily resolved, our trust in Fizz may not be fully restored.
Although Fizz released a statement entitled “Security Improvements Regarding Fizz” on Dec. 7, 2021, the page is no longer navigable from Fizz’s website or Google searches as of the time of this article’s publication. In talking to other Fizz users on campus, I found that very few had heard about last year’s incident. Fizz should have kept the statement up and made an official post on the app about the vulnerability when it happened. Surely all users want to be clearly informed when our trust in an app is violated. We want to know that the content and upvotes we see cannot be manipulated in any way by moderators and developers.
I sincerely hope that Fizz’s founders will not react so aggressively in response to future good-faith vulnerability disclosures and scrutiny more broadly. Fizz can only sustainably improve if its leaders listen and remain accountable to these many college communities. Anything less could pose massive risk to Fizz users and the future of the app.