This top Android voice chat app was leaking customer data everywhere
Unsecured database was sitting unprotected online
When you purchase through links on our site, we may earn an affiliate commission.Here’s how it works.
A relatively popular Android voice chat app was found leaking sensitive user data, with anyone who knew where to look able to access it.
The OyeTalk app was usingGoogle’s Firebase mobile application development platform, which also offers cloud-hosted databases. According to researchers from Cybernews, OyeTalk’s Firebase instance was not password-protected, meaning its contents were available for all to see.
The contents, the researchers further explained, included people’s usernames, unencrypted chats, and IMEI numbers. This last bit is somewhat more concerning as IMEI can be used by threat actors (and law enforcement, as well) toidentifythe device and its legal owner.
Irreversible damage
“Spilling IMEI numbers on every message sent is a vast privacy intrusion, as the message is permanently associated with a specific device and its owner at the time,” the researchers said. “Threat actors could exploit it to impose ransom.”
The database was roughly 500MB in size, meaning potential attackers could easily have downloaded or deleted it - with the latter scenario meaning there was a possibility of permanent loss of user private messages.
Check out the best firewalls right now>Unsecured cloud database leaked personal information of over 100m US citizens>These countries have the most exposed databases online
Besides sensitive user data, the app was leaking secrets such as API keys and Google storage buckets too, as these were allegedly hardcoded in the app’s client side. For researchers at Cybernews, this is “sloppy” work by the developers, as hardcoding sensitive data into the client side of an Android app like this is “unsafe, as in most cases it can be easily accessed through reverse engineering.”
“In the past, this sloppy security practice has been successfully exploited by threat actors in other apps, resulting in data loss or complete takeover of user data stored on open Firebases or other storage systems,” the researchers warned.
Are you a pro? Subscribe to our newsletter
Sign up to the TechRadar Pro newsletter to get all the top news, opinion, features and guidance your business needs to succeed!
Even after being notified of the open database, the devs did nothing, Cybernews said, but luckily enough, Google’s security measures managed to close off the instance.
Via:Cybernews
Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.
TP-Link Archer BE3600 Wi-Fi 7 Router review
Ulefone Armor Pad 3 Pro rugged tablet review
New fanless cooling technology enhances energy efficiency for AI workloads by achieving a 90% reduction in cooling power consumption
