Security

Boomoji Databases Without Passwords Left Exposed

An unprotected ElasticSearch server led to a potentially massive data leak for a popular avatar app maker, Boomoji. The app, which is based in China and has 5.3 million users across the globe, allows iOS and Android users to create 3D avatars.

The personal data of its entire user base was exposed after Boomoji reportedly left two ElasticSearch databases unprotected without a password, according to TechCrunch.

According to Anurag Kahol, CTO, Bitglass, “There are now tools designed to detect abusable misconfigurations within IT assets like ElasticSearch databases. Because of these tools (and the continued carelessness of companies when it comes to cybersecurity), abusing misconfigurations has grown in popularity as an attack vector across all industries.”

A database serving international users was based in the US, and another, which serves Chinese users, was based in Hong Kong in order to comply with China’s data security laws. The databases reportedly contained the usernames, gender, country, phone type, unique Boomoji ID, users’ schools, the geolocation for 375,000 users and the phone book entry of every user that allowed the app to access their contacts. 

Because the app also allows access to contact data, in addition to the data for 5.3 million users, contact information of an additional 125 million people who may not even know the app exists could have been compromised as well. Even if you did not use the app, if someone you know does and has your phone number stored on their device, the app more than likely uploaded your contact information onto Boomoji’s database.

“This exposure demonstrates how most enterprises – even hyper-scale providers – do not have adequate visibility into their entire infrastructure and assets to detect vulnerabilities and security gaps,” said Jonathan Bensen, acting CISO and director of product management, Balbix.

“Unsecured databases with no password protection is a simple enough problem to fix, if the companies are continuously monitoring all assets in order quickly identify and remediate priority issues.”

Articles You May Like

The thing we thought was happening with robotic investments is definitely happening
Big factories, big trucks and big Musk: Tesla Q4 earnings expectations
Are you in control of your personal data? – Week in security with Tony Anscombe
Massive Ad Fraud Scheme Targeted Over 11 Million Devices with 1,700 Spoofed Apps
Hackers Deploy Open-Source Tool Sliver C2, Replacing Cobalt Strike, Metasploit

Leave a Reply

Your email address will not be published. Required fields are marked *