You see, once you have at least seven people in your phone's contact list using Secret, the app will tag those posts as coming from a "friend". But what if only one of those contacts is actually real? That's what Caudill seized on: by clearing out his contact list, and adding the target's contact information along with a handful of dummy accounts he created, any secret the target posted would be properly tagged as a friend post. Voilà -- a relatively quick and easy way to unmask just about whoever you want... as long as you can scrounge up their email address and phone number.
As Wired points out, the trick definitely worked, but only in one direction. Thankfully, there's still no (publicly disclosed) way to suss out a user's identity starting from a secret they've already shared with the world. Secret CEO David Byttow confirmed that this particular issue has been taken care of, which makes it one of the latest in a long list of bugs (42, to be precise) that've been closed since Secret opened up its bug bounty program six months ago. Still, we can't help but wonder how long it'll be before someone without white-hat scruples stumbles upon some security flaw and starts going to town with it. Remember, Secret users: you can always unlink your comments if you start getting cold feet.