We shouldn't be surprised by this anymore, and regular readers know I've talked about the risks of data leakage on multiple occasions. This has the same characteristics as HospitalGown and Eavesdropper: the app itself is not necessarily insecure; instead, the cloud-based storage system hasn't been properly secured.
The app in this case is A.I.type Keyboard, available on both Google Play and the App Store. This threat was discovered by The Kromtech Security Center. What they learned was that the A.I.type Keyboard app leaked PII and other data from over 31 million users. The root cause appears to be that the app's backend, a 577 GB MongoDB database, was misconfigured so that all of it's data is available to anyone with an Internet connection.
What is included in the exposed 577 GB? Here's a partial rundown:
Phone number, full name of the owner, device name and model, mobile network name, SMS number, screen resolution, user languages enabled, Android version, IMSI number (international mobile subscriber identity used for interconnection), IMEI number (a unique number given to every single mobile phone), emails associated with the phone, country of residence, links and the information associated with the social media profiles (birthdate, title, emails etc.) and photo (links to Google+, Facebook etc.), IP (if available), location details (long/lat).In addition, there were over 6 million records that contained "data collected from users’ contact books, including names (as entered originally) and phone numbers, in total more than 373 million records scraped from registered users’ phones, which include all their contacts saved/synced on linked Google account."
Ouch. One of the things that's a bit unusual--and pretty insidious-- is the information associated with social media profiles. This should enable a second level of privacy invasion and surveillance against the victims. Given how valuable data is to marketers as well as black hats, this data will no doubt find its way into various commercial and dark net datasets, so be used at some future date with almost zero chance of tracing it back to the offending app.
Well, at least it's not mobile malware, right? So we shouldn't worry, correct? We'll see what kind of media coverage this gets.
No comments:
Post a Comment