The new vulnerability report Giggle; laughable security from Digital Interruption reveals that the Giggle user community’s founders ignored warnings of a serious vulnerability that exposed women and teens’ location and other data, exposing them to sharp risk. The report also details the Giggle team’s failure to delete user data when accounts are deleted; and flawed and questionable user verification processes.
This is an example of why every company should have a vulnerability disclosure program. We see too many cases when the hacking community draws attention to a major gap in security, only to have an organization ignore the warnings and even target well-intentioned hackers with threats. The statement by the Giggles team that they don’t need a vulnerability program because they have a security team is ludicrous on its face. It’s like saying: I have a family doctor, so I don’t need a specialist.
Also especially troubling are reports of its user verification and data retention policies. According to reports, the Giggles app geared towards teens and women actually puts its user populations at risk through its data retention policies because it gathers the kind of location information that stalkers and cyber attackers leverage to abuse victims. It’s reported the Giggles app retains that data even when users leave the community and delete the app, and the Giggles team actually misleads users and former users that their data is purged when a user quits the community.
Moreover, the Giggles verification process “validates” gender through a facial recognition process that can potentially exclude many women including the trans community, gating membership solely to those who fit stereotypical and outdated notions about appearance… and designating who\’s a woman and discriminating based on appearances, leading many of us to wonder about fundamental problems beyond Giggles’ obvious and reported cybersecurity flaws.