Researchers who uncovered a data exposure from mobile app Whisper earlier this week have released more details about the incident.
Whisper is an app from MediaLab, a mobile app company that owns a host of other apps including the popular messaging service Kik. It offers a kind of anonymous social network service that allows people to post their innermost fears and desires, supposedly without risk.
Its users post everything from dark family secrets to stories of infidelity. It gathers these up and uses them for articles on its website, including “Naughty Nannies Confess To Sleeping With The Fathers They Work For”, “Alcoholism Runs In My Family”, and “I Married The Wrong Person”.
The problem, according to researcher Dan Ehrlich of cybersecurity consultancy Twelve Security, is that Whisper didn’t steward that data very well. He says that he and his colleague Matthew Porter accessed 900m records in a 5 TB database spanning 75 different servers, logged between the app’s release in 2012 and the present day. The data was stored in plain text on ElasticSearch servers and included 90 metadata points per account.
The Washington Post broke the story about the app on Monday 10 March, having worked with the researchers.
The records didn’t include real names, but did divulge their stated age, gender, ethnicity, home town, and nickname, the story said, adding that it also divulged access to groups that included intimate confessions.
Ehrlich has since followed this up with the first two of a planned five-blog series going into more depth and is dropping more details about the alleged exposure. He said:
… one has the geocoordinates of nearly every place they’ve visited, and the ability to log into their account with their password/credentials. Depending on when the account was created and how much the user engaged with the app, dozens and dozens of fields of metadata can be reviewed.
These amounted to 90 data points including some bizarre ones, according to Ehrlich’s posts, such as predator_probability and banned_from_high_schools. He added:
Sexual fetish groups, suicide groups, and hate group membership of users can all be seen. Whether or not a user is a predator, if they are banned from posting near high schools, and their private messages can all be viewed.
Worst of all perhaps is the disclosure of the exact coordinates of a user’s most recent post. This not only affects children posting highly sensitive information from schools but also service members on military bases and in US embassies around the world, they warned.
A MediaLab spokesperson responded:
[…] no personally identifiable data was exposed as Whisper does not collect any PII such as names, phone numbers or email addresses. The referenced data is all accessible to users from public API’s [sic] exposed within the app. The data is a consumer-facing feature of the application which users can choose to share or not share depending on which features of the application they wish to utilize.
Latest Naked Security podcast
from Naked Security https://ift.tt/3aSSX53
Did you hear there is a 12 word phrase you can communicate to your crush... that will induce intense feelings of love and instinctual attraction for you buried within his chest?
ReplyDeleteThat's because deep inside these 12 words is a "secret signal" that fuels a man's impulse to love, worship and look after you with his entire heart...
12 Words That Fuel A Man's Love Response
This impulse is so hardwired into a man's genetics that it will drive him to try harder than before to take care of you.
Matter of fact, triggering this dominant impulse is so essential to having the best ever relationship with your man that as soon as you send your man a "Secret Signal"...
...You'll instantly notice him expose his heart and mind to you in such a way he never expressed before and he'll identify you as the only woman in the galaxy who has ever truly understood him.