You're still not anonymous on Looped

tl;dr: Looped fixed the bug from part 1. That’s all they fixed.

Looped update

After reading my post from yesterday, Looped took action and implemented a fix to stop hemorrhaging data. If we take a look at the data for the main feed again, we see that every creatorId appears as -1. This means that historical Looped post data is now anonymous – to us, at least. Looped still knows who you are.

Comment data showing identical creatorIds

Kudos to the Looped team for fixing this within a matter of hours on a Sunday afternoon.

Missed a spot

When someone creates a post, Looped pushes the post to your device, and the “new posts” bubble pops up at the top of the feed. Surprisingly, this data contains the creator’s id, name, handle, and profile picture. No phonebooks required.

Data containing the contents of the new post, as well as the id, name, handle, and profile picture of its creator

Photo EXIF data

Cameras and phones attach EXIF metadata to every photo they take, and it encodes things like camera settings (aperture, exposure time, focal length), photo orientation, camera/phone model, GPS location, and timestamp. Data like this allowed authorities to catch a member of Anonymous in 2012. Most social networks made by people who know what they’re doing, like Facebook and Twitter, scrub this data due to its obvious potential for abuse. Not Looped.

EXIF data table

If we download this photo of an H-shaped balloon stuck to the Sharples ceiling, the EXIF data shows that the person who posted it took it using a Motorola Moto G7 at 12:08 AM (Crumb Cafe closing time) at the coordinates 39.903304 N, 75.353825 W. How many people do you know own a Moto G7?

It’s easy to imagine a scenario in which posting a photo with EXIF data attached could put someone in danger or legal trouble.

EXIF data table

Conclusions

It is still possible to find the identities related to Looped anonymous posts. Metadata attached to photos you take and post on Looped may give away your location.

The Looped team was able to address the bug I wrote about yesterday, but they are evidently more interested in applying bandaids to issues as they come, rather than addressing root causes or architecting a secure solution to keep Looped users safe. Their passive approach to security is irresponsible and dangerous.