At a glance.
- Chat app leaks user data on open web.
- Stalking victim files lawsuit over abuse of driver’s license database.
- The price of AI tech.
- LockBit releases stolen Royal Mail data.
Chat app leaks user data on open web.
HackRead reports that Android voice chat app OyeTalk leaked user data due to the misconfiguration of a cloud storage database. A lack of protections on Firebase, Google’s mobile application development platform, allowed unauthorized access to unencrypted app data stored on Firebase’s cloud-hosted database services. The compromised data includes users’ unencrypted chats, usernames, and cellphone International Mobile Equipment Identity numbers. The developers also left sensitive data, including a Google API key and links to Google storage buckets, hardcoded in the application’s client-side. OyeTalk has over 5 million downloads on the Google Play store, and the researchers who discovered the leak say the app’s developers failed to secure the database even after they were informed of the issue, leaving Google to step in. What’s more, the researchers found evidence that this was not the first time the data had been leaked, as the database had been previously marked as vulnerable by unknown actors.
Jason Kent, Hacker in Residence at Cequence Security, is not surprised. "As a hacker and someone that is generally curious about things, I am not surprised by a discovery of an open database. It happens all the time," he says. "The challenge is what is allowed to be done if you happen to stumble across a DB that is open. Often times attempts to pull data, delete data or modify data will be met with authentication and authorization requirements. In this case, the DB was left open and anyone on the DB was now a volunteer Data Base Admin."
What might the possible effects of obtaining the database? Kent says, "This is often an exercise in trying trying trying and maybe having some success. In this case, the would-be attacker could delete the entire DB thus causing the app to stop working. Even deleting a few tables would cause major headaches. Couple that with the fact that API keys for 3rd party services were available in the data and it is possible to say they are truly and rightly owned."
And he thinks it's not that difficult to find exploitable weaknesses. "Searching for open databases, finding existing endpoints in a mobile application etc… are all very simple to perform. It seems in this case the app company didn’t do simple penetration testing to vet out any security concerns. Having worked on projects that analyze the security of mobile applications I can pretty firmly say, this isn’t the first and won’t be the last."
Stalking victim files lawsuit over abuse of driver’s license database.
A police lieutenant in the US state of Minnesota was charged last year with abusing his access to state driver's licenses databases in order to track down a former girlfriend, and Star Tribune reports that the victim is now suing the city and the officer who stalked her. Sonia Sorto has filed a civil complaint alleging that the officer, appropriately named Derrick Hacker, improperly accessed the Minnesota Driver and Vehicle Services database in 2019 and 2021, sometimes up to twelve times in one day, to find data on her whereabouts. In April of last year Ramsey County prosecutors charged Hacker with twelve gross misdemeanor and six misdemeanor counts including misconduct by a public officer, unauthorized penetration of a computer security system and violation of the state data practices act, but Hacker denies the allegations and the case is still pending.
The price of AI tech.
As the growing popularity of chatbot ChatGPT and digital image generator Dall-e have shown, AI-fueled technology has become increasingly available to the general public. But what are the risks involved in having such powerful AI at the fingertips of anyone with access to the web? A reporter at Vice demonstrates just how easy it could be for a thief to trick voice-recognition technology, which is increasingly being used by US and EU banks to identify customers over the phone. The reporter was able to convince the bank that he was the one attempting to access his account by using a cloned voice acquired from a free voice creation service powered by AI company ElevenLabs. Lewis Silkin discusses the fact that the benefits of AI tech come with inherent data privacy risks. Not only can they be hacked, but the AI itself is often fueled by behavioral data that has been scraped from the internet. The writer explains, “It is very likely that these data sources will include personal data as well as potential special category personal data and even data about minors.” The article goes on to demonstrate how AI tech challenges the data protection principles of the General Data Protection Regulation, the EU’s governing data privacy legislation.
LockBit releases stolen Royal Mail data.
The Telegraph reports that 44 gigabytes of data stolen from Royal Mail was leaked Thursday on the dark web by Russian-speaking ransomware group LockBit. The cybercriminals, who hacked the Royal Mail’s systems in a January cyberattack, have demanded that the UK postal service pay £33 million to have the data removed. The gang placed a timer on their blog counting down to the date that the stolen information would be released if the ransom was not paid, and it reached zero last week. Screenshots indicate the published data includes info on approximately two hundred postal workers, but Royal Mail has downplayed the suggestion that either employee or customer data had been compromised in the breach. A Royal Mail spokesman stated, “All of the evidence suggests that this data contains no financial information or other sensitive customer information…At this stage of the investigation, we believe that the vast majority of this data is made up of technical program files and administrative business data.”