HighThere, the "Tinder for Tokers," is a stoner app for finding smoking buddies. When you first download the app and join the network, HighThere asks for your location data and your energy level when stoned, so it can match you with potential friends.
This data would be a jackpot for police if they could get their hands on it. So if you're one of HighThere's 150,000 users, you might be wondering: Is your information safe?
Mic reached out to hacking and cybersecurity firm Synack to find out. After just a few minutes, Synack concluded that HighThere's security is "student project level." Anyone with knowledge of computer science could use HighThere to find the name, photograph, smoking habits and even personal location of nearby users with ease.
Information galore: Synack hacker Oren Yomtov found that just by looking at the data the app sends through a nearby home router, you could expose and locate any user whose profile information is visible. The Synack team used passive data-gathering methods: They simply watched the data moving between the phone and the router, and didn't have to penetrate servers or send data anywhere.
When an app like Tinder tells you someone is a mile away, the actual specifics of that person's exact location are stored in a remote server. But HighThere simply sends a pure report of every nearby user and does all that math locally on your phone.
Put simply: HighThere is constantly bouncing around unencrypted dossiers of its users — confessed marijuana consumers — in the open air for anyone to intercept. That information includes user location, down to the foot.
What police can do with it: "This is maximum fun for law enforcement — an incredibly useful tool," Tony Gambacorta, Synack's vice president of operations, said in a phone call as he began pulling up user data. "God bless the criminal who advertises where he is and what he's doing."
To demonstrate, the Synack team instantly pulled up the information of someone named John and listed his profile information, saying that he preferred to smoke his weed, had a "medium" energy level and listed gaming and music as his interests.
"God bless the criminal who advertises where he is and what he's doing."
Synack punched John's latitude and longitude into Google Maps, and everyone on the phone line burst out laughing: John was right around the corner, in the building of a nearby law firm, possibly an employee there.
Gambacorta imagined a hypothetical scenario where police could pick a target area, watch everyone using HighThere on a map and identify dealers by seeing who quickly visits multiple users throughout the day. The data could also be used in tandem with the already ubiquitous data maps police use to predict crime.
"You could not write a better tool for arresting people than this," Gambacorta said.
The researchers at Synack were unable to see messages within the app, because that would have required them to access HighThere's server with actual hacking. Given what they'd seen so far, they estimated that the server-side security was "probably not great."
"You could not write a better tool for arresting people than this."
Getting personal: What's most alarming isn't just that people use this leaky app to confess their drug use for any police officer to see; it's exactly how much you can learn about someone once you add his or her basic profile information to everything else that's publicly available.
Some users opted not to use their real names in their profiles, but their full names could be identified using a simple Google image search. From there, Google makes employment information on LinkedIn and friend groups on Facebook just another query away.
Police can correlate the personal information collected from various sources — Google, social media and public documents — with information on HighThere to build an even more complete profile of your activities and habits.
An app that knows exactly how you like to smoke and what you like doing when you're high has a fascinating, but selective, slice of your personality. Add that to everything police can learn about you from Facebook along with live data on wherever you go, and you're looking at a wild level of personal surveillance.
Be safe out there: Police know you're using apps and smartphones to get your weed, and have used everything from drug lords' Instagrams to the college kids' Venmo feeds to bust drug dealers and their customers.
More prudent drug dealers who want to mask their businesses using more than code words over SMS use encrypted chat apps like Wickr, where messages are scrambled in transit and destroyed completely upon reading.
"If you're going to do something like track people participating in an illegal activity, you need to have superb data privacy on your platform," Gambacorta said.
When we approached HighThere with our findings, it sent us this statement about how it plans to improve its security:
HighThere! considers user privacy as a top priority. And for the past several months, we have been working diligently to enhance our current measures of protecting data. This work will be completed in the very near future, with an upcoming release that will include industry standard encryption, throughout all levels of the application.
We'll update this story if it develops. In the meantime, be careful how you coordinate your drug deals. You never know who's listening.