A dog walking app inadvertently exposed customers' addresses and codes to lockboxes where they kept keys to their homes.
Image: Emanuel Maiberg
Last year I got my first dog, and it's one of the best things that has ever happened to me. My mutt Gordo is the only pure thing in my life, but he also introduced a bunch of new chores to my life.
The most obvious of these is that a few times a day I need to take him outside, because that's where he poops and pees. Before I moved closer to VICE's office, my commute was more than an hour long each way, meaning I had to pay someone to walk Gordo in the middle of the day while I was gone. I never had a dog before, and I wasn't sure how to get a dog walker, so looked to the internet for guidance. What I found was Wag, a kind of gig-economy-reliant app for booking dog walkers.
It is basically Uber for dog walking, right down to the huge security breaches that compromise users' personal information. Today, the Wall Street Journal reported that Wag inadvertently exposed web pages revealing customers' information, including their home addresses. It's not clear how long this information was exposed, and there's no reason to believe that hackers obtained and abused it, but it's especially frightening because the data would quite literally give strangers the keys to my apartment.
When I first signed up for Wag, it sent me a lockbox for a set of keys I could keep outside my apartment building. When I scheduled a walk, the dog walker would unlock the lockbox with a code I shared with them via the app, helped Gordo do his business, and put the keys back in the lockbox before leaving. The Wall Street Journal said it observed more than 50 cases in which Wag exposed customers' address as well as the codes to their lockboxes, which, again, hold the keys to their buildings and apartments.
"That was on one day, on a subset of the pages, and the records on those pages appeared to be replaced with different ones every day or two, meaning the total number of customers potentially exposed could be much larger," the Wall Street Journal said.
I stopped using Wag in September. Since then, the company has sent more than a dozen promotional emails begging me to come back, and has texted me several times to let me know when there was a walker nearby, just in case I wanted to give Wag another shot. Wag told the Wall Street Journal it is communicating with affected customers, but I haven't heard from it yet, which hopefully simply means I wasn't affected.
It feels very weird to give someone you've never met the keys to your home (it's where I keep all my stuff!), but Wag worked when I tried it and I quickly got over it. I was happy with Wag and recommended it to friends. Wag also has a brilliant marketing strategy: the walker takes a picture of Gordo during the walk, which the app then prompted me to share via social media, which I of course did because Gordo is a beautiful boy:
People asked about Wag when I shared the images, which of course led to me recommending the app. That's how I found out about Wag myself.
In retrospect, however, feeding an app I didn't really thoroughly research precise information on where I live, the means to enter my home, and information on when I wasn't there probably wasn't the most security-conscious thing I’ve done in my life. Getting a dog walker is always going to require a certain level of trust. I am still giving someone the keys to my apartment, after all. But in this case, I basically offered my keys to anyone with the technical knowhow and will to access Wag's unprotected webpages.