Security

Boomoji Databases Without Passwords Left Exposed

An unprotected ElasticSearch server led to a potentially massive data leak for a popular avatar app maker, Boomoji. The app, which is based in China and has 5.3 million users across the globe, allows iOS and Android users to create 3D avatars.

The personal data of its entire user base was exposed after Boomoji reportedly left two ElasticSearch databases unprotected without a password, according to TechCrunch.

According to Anurag Kahol, CTO, Bitglass, “There are now tools designed to detect abusable misconfigurations within IT assets like ElasticSearch databases. Because of these tools (and the continued carelessness of companies when it comes to cybersecurity), abusing misconfigurations has grown in popularity as an attack vector across all industries.”

A database serving international users was based in the US, and another, which serves Chinese users, was based in Hong Kong in order to comply with China’s data security laws. The databases reportedly contained the usernames, gender, country, phone type, unique Boomoji ID, users’ schools, the geolocation for 375,000 users and the phone book entry of every user that allowed the app to access their contacts. 

Because the app also allows access to contact data, in addition to the data for 5.3 million users, contact information of an additional 125 million people who may not even know the app exists could have been compromised as well. Even if you did not use the app, if someone you know does and has your phone number stored on their device, the app more than likely uploaded your contact information onto Boomoji’s database.

“This exposure demonstrates how most enterprises – even hyper-scale providers – do not have adequate visibility into their entire infrastructure and assets to detect vulnerabilities and security gaps,” said Jonathan Bensen, acting CISO and director of product management, Balbix.

“Unsecured databases with no password protection is a simple enough problem to fix, if the companies are continuously monitoring all assets in order quickly identify and remediate priority issues.”

Articles You May Like

New Botnet Malware ‘Horabot’ Targets Spanish-Speaking Users in Latin America
The academic to founder pipeline with Dr. Stacy Blain from Concarlo Therapeutics
A popular Android app began secretly spying on its users months after it was listed on Google Play
Hackers Win $105,000 for Reporting Critical Security Flaws in Sonos One Speakers
Critical Firmware Vulnerability in Gigabyte Systems Exposes ~7 Million Devices

Leave a Reply

Your email address will not be published. Required fields are marked *