A popular massage-booking app has spilled the beans on 309,000 customer profiles, including comments from their masseurs or masseuses on how creepy their customers are.
The app’s wide-open, no-password-required database was discovered by researcher Oliver Hough, who tipped off TechCrunch.
Hough said in a tweet on Tuesday that the breach was caused by unimplemented security that should have been easy-peasy, and that the failing could lead to “some serious blackmail.”
This could have been avoided by
– checking your firewall settings
– deploying some free monitoring to check for si… twitter.com/i/web/status/1…
Oliver Hough 🌧️ (@olihough86) November 27, 2018
TechCrunch reports that Urban left the database for a Google-hosted Elasticsearch instance – that’s an enterprise search tool – online without a password, “allowing anyone to read hundreds of thousands of customer and staff records.”
Anyone who knew where to look could access, edit or delete the database.
The makers of the app, which was previously known as Urban Massage but is now going by simply “Urban,” confirmed the breach on Tuesday. In its FAQ, Urban said that customers’ names, email addresses and phone numbers were exposed, as well as, potentially, their postcodes if they placed a booking on the platform. Urban says it’s going to contact those whose information it thinks was exposed.
The good news: no payment card details were exposed or accessed. Urban said that it doesn’t store such information.
The other good news: this wasn’t an attack. Rather, it was a vulnerability exposed by a security researcher searching with Shodan: a search engine for exposed devices and databases.
The bad news: Urban didn’t mention the other bits that were exposed – and they could be deeply embarrassing to anybody who isn’t proud of being outed as a chronic appointment canceller or who asks for a happy ending. From Zack Whittaker’s write-up on TechCrunch:
Among the records included thousands of complaints from workers about their clients. The records included specific complaints – from account blocks for fraudulent behavior, abuse of the referral system and persistent cancelers. But, many records also included allegations of sexual misconduct by client – such as asking for ‘massage in genital area’ and requesting ‘sexual services from therapist.’ Others were marked as ‘dangerous,’ while others were blocked due to ‘police enquiries.’ Each complaint included a customer’s personally identifiable information – including their name, address and postcode and phone number.
The exposed database may have been open for at least a few weeks before Urban pulled it offline, which it did after TechCrunch contacted it.
Urban CEO Jack Tang said that he had informed the UK’s Information Commissioner (ICO) about the breach. As of Wednesday, the ICO hadn’t determined whether it was going to investigate.
We immediately closed the potential vulnerability and have taken all appropriate action, including by notifying users and the ICO.
The researcher has now confirmed to us that he did not copy or retain any data and that he did not pass anything to anyone else other than the journalist. That was the only access we are aware of.
We would like to apologize to anyone potentially affected and continue to investigate this matter as a priority.
TechCrunch contacted several randomly chosen users whose information had been exposed. One user who requested anonymity said that the breach was a “huge violation” of her privacy.
Speaking of huge, this could potentially lead to a huge fine for Urban: the company could face penalties of up to 4% of its global annual revenue if it’s found to have breached GDPR rules.