Talking to strangers? This popular chat site is saving all your messages

Impact

A PSA to people who anonymously chat with strangers on the internet: Not all spaces are so private. 

According to security researcher Indrajeet Bhuyan, Omegle — a free online chat site where strangers are randomly paired for one-on-one chat sessions — is "not as anonymous as it claims." 

Each chat log is saved in Omegle's server after a user exits a conversation, Bhuyan said in an email.

"After a user disconnects his chat, Omegle saves the entire chat log in their server permanently," Bhuyan said. 

Omegle's privacy policy states that "Chat messages are screened by an automated system for spam. In general, messages are not stored, but messages which are flagged as suspicious may be stored indefinitely, and select messages may be read by a human being to improve Omegle's anti-spam software, or for other quality control purposes." 

Omegle goes on to note that when you start a chat, the timestamp, IP address, ID cookie "and similar information for you and your chat partner" are recorded and may be used to track spammers, hackers and other potential cyberspace wrongdoers as well as for "law enforcement purposes" or to compile statistical data. All of this data is "typically" stored for about 120 days. 

Mic

The issue here isn't that Omegle is claiming that it doesn't record the chats on its platform — it states right in its privacy policy that it is collecting a whole lot of information about its users and, based on the "typically" thrown in there, can essentially hold onto all of this data for as long as it pleases. The issue is that Omegle is marketed as a space of willful anonymity, where users can develop online companionship with strangers — and unless you read through its privacy policy, you are likely ignorant to the fact that your chat is being recorded from the start. 

"People on Omegle often think their chats are private and chats get deleted once they disconnect from the conversation," Bhuyan said. "Due to this false sense of security, people often share sensitive information on it." 

To start a chat is nearly instantaneous, and unless a user reads through the privacy policy page ahead of a chat, there's no indication that your information is stored. And all of this sensitive information is susceptible to hackers, meaning these private conversations could end up in the wrong hands and become very public. As the Hacker News reported, these recorded conversations require "little knowledge of hacking" to access, citing Bhuyan's python script, Omegle-Chat-Hack, as evidence that someone outside of Omegle can download user's conversations.

An Omegle spokesperson said in an email that they think Bhuyan's hack was feasible by guessing the URL of a chatlog — a random sequence of letters and numbers — a user has saved.

"In practice, that is mostly a concern for chatlogs that users saved years ago, which had shorter URLs that were easier to guess," they said. "URLs generated more recently should be much harder to guess, but just to be on the safe side, I've made newly-generated URLs even longer in response to this."

They believe that those at risk are likely just users who saved their chatlogs and those saved with URLs "that are short enough to be guessable," but reiterated that Omegle has made newly-generated URLs that are even longer "to be on the safe side with this."

August 19, 2016, 3:01 p.m.: This story has been updated.