1. Forum
  2. tqwNet
  3. TQW_GENTECH

  • This top Android voice chat app was leaking customer data everywh

    From TechnologyDaily@1337:1/100 to All on Thu Feb 23 12:45:03 2023
    This top Android voice chat app was leaking customer data everywhere

    Date:
    Thu, 23 Feb 2023 12:33:36 +0000

    Description:
    OyeTalk unsecured database was sitting online waiting to be accessed by anyone.

    FULL STORY ======================================================================

    A relatively popular Android voice chat app was found leaking sensitive user data, with anyone who knew where to look able to access it.

    The OyeTalk app was using Googles Firebase mobile application development platform, which also offers cloud-hosted databases. According to researchers from Cybernews, OyeTalks Firebase instance was not password-protected,
    meaning its contents were available for all to see.

    The contents, the researchers further explained, included peoples usernames, unencrypted chats, and IMEI numbers. This last bit is somewhat more
    concerning as IMEI can be used by threat actors (and law enforcement, as
    well) to identify the device and its legal owner. Irreversible damage

    Spilling IMEI numbers on every message sent is a vast privacy intrusion, as the message is permanently associated with a specific device and its owner at the time, the researchers said. Threat actors could exploit it to impose ransom.

    The database was roughly 500MB in size, meaning potential attackers could easily have downloaded or deleted it - with the latter scenario meaning there was a possibility of permanent loss of user private messages. Read more

    Check out the best firewalls right now


    Unsecured cloud database leaked personal information of over 100m US
    citizens


    These countries have the most exposed databases online

    Besides sensitive user data, the app was leaking secrets such as API keys and Google storage buckets too, as these were allegedly hardcoded in the apps client side. For researchers at Cybernews, this is sloppy work by the developers, as hardcoding sensitive data into the client side of an Android app like this is unsafe, as in most cases it can be easily accessed through reverse engineering.

    In the past, this sloppy security practice has been successfully exploited by threat actors in other apps, resulting in data loss or complete takeover of user data stored on open Firebases or other storage systems, the researchers warned.

    Even after being notified of the open database, the devs did nothing, Cybernews said, but luckily enough, Googles security measures managed to
    close off the instance. These are the best antivirus products right now

    Via: Cybernews



    ======================================================================
    Link to news story: https://www.techradar.com/news/this-top-android-voice-chat-app-was-leaking-cus tomer-data-everywhere


    --- Mystic BBS v1.12 A47 (Linux/64)
    * Origin: tqwNet Technology News (1337:1/100)