31 million users of an Android keyboard app have had their email addresses, phone numbers, and precise location exposed through the sheer carelessness of the app’s developer.
As ZDNet reports, customisable keyboard app AI.type left a 577GB database of sensitive data on an unsecured server which was left completely accessible to anybody, no password required.
The customisable keyboard app, which has been downloaded from the Google Play store approximately 40 million times, stored information on a Mongo-hosted database that had not been properly secured to prevent unauthorised access.
As if it wasn’t bad enough that 31 million users of the app had been put at risk, one of the database tables discovered by researchers contained an astonishing 374.6 million phone numbers – collected by the app (for reasons best known to itself) after it uploaded users’ contacts from their smartphones.
Yet more information stored in the exposed database detailed the apps installed on each users’ device, including banking and dating apps.
Users of the free edition of AI.Type were left particularly exposed as that version of the app collects more information than the paid edition, in order to make money through more targeted advertising.
According to security researchers at Kromtech, who discovered the unsecured database, it took several attempts to contact AI.Type, and for the poorly-configured server to be secured.
As has been noted before, despite there being security functionality built into MongoDB many administrators continue to make the mistake of not properly configuring the software – effectively creating a goldmine of information for data thieves.
For its part, MongoDB has published a security checklist describing best practices for protecting an installation of the software.
Whether you call data leaks like this an accident or evidence of incompetence is a matter of opinion, but one thing is clear – it is innocent users who are having their privacy and security put at risk by app developers like those who built AI.Type.
This is a Security Bloggers Network syndicated blog post authored by Graham Cluley. Read the original post at: HOTforSecurity