data leak

An iPhone app called Call Recorder lets users record their phone call conversations. But a recently discovered bug leaked those calls.

But using a readily available proxy tool like Burp Suite, Prakash could view and modify the network traffic going in and out of the app. That meant he could replace his phone number registered with the app with the phone number of another app user, and access their recordings on his phone.

A new version of the app was submitted to Apple’s app store on Saturday. The release notes said the app update was to “patch a security report.”

An e-commerce app called 21 Buttons has exposed the private data of hundreds of people across Europe.

Among the millions of photos and videos, we also viewed hundreds of invoices detailing payments to users in the 21 Buttons Rewards program, covering the last few months. Some of these invoices appear to be test data, but many of them were definitely legitimate invoices detailing real records of payments made.

Telmate, owned by Global Tel Link, makes an app for prisoners to send messages and calls to friends and family. It exposed a database of private messages, call logs, and personal information numbers in the tens of millions. Why? The database wasn’t secured with a password.

Comparitech security researcher Bob Diachenko on August 13, 2020 discovered the unsecured database and immediately reported it to Global Tel Link, the company that owns and operates Telmate. The company, to its credit, responded within two hours and secured the database an hour later, but it’s possible that other unauthorized parties accessed it prior to Diachenko’s disclosure.

A database containing almost 235 million social media profiles of users from Instagram, TikTok, and YouTube has been exposed because it wasn’t password-protected.

Evidence suggests that much of the data originally came from a now-defunct company: Deep Social. The names of the Instagram datasets (accounts-deepsocial-90 and accounts-deepsocial-91) hint at the data’s origin. Based on this, [security researcher Bob] Diachenko first contacted Deep Social using the email address listed on its website to disclose the exposure. The administrators of Deep Social forwarded the disclosure to Social Data. The CTO of Social Data acknowledged the exposure, and the servers hosting the data were taken down about three hours later.

Whisper, an app for people to share their secrets, exposed user data like age, location, and more for years.

The records were viewable on a non-password-protected database open to the public Web. A Post reporter was able to freely browse and search through the records, many of which involved children: A search of users who had listed their age as 15 returned 1.3 million results.

The cybersecurity consultants Matthew Porter and Dan Ehrlich, who lead the advisory group Twelve Security, said they were able to access nearly 900 million user records from the app’s release in 2012 to the present day.

You can never be 100% secure but at least put a damn password on your server.

Wyze makes cheap security cameras for people, cheap in terms of price and now apparently security (ironically). A database of its user data was found exposed on the internet, unsecured.

This included a staggering array of personal information including email addresses, a list of cameras in the house, WiFi SSIDs and even health information including height, weight, gender, bone density and more.

“We are confirming that some Wyze user data was not properly secured and left exposed from December 4th to December 26th,” the company said. It denied that it had leaked bone density information, for example, but confirmed it had leaked “body metrics” for a small number of beta testers.

I’m still trying to figure out why a security camera company would have health information.