Brian Krebs reported today that mSpy, the maker of a software-as-a-service product that helps customers spy on the mobile devices of their kids and partners, left an open database on the web that provided access to millions of sensitive records without any authentication required.
Pravin Kothari, CEO at CipherCloud:
BACKGROUND
“mSpy, the provider of a leading parental control application for smartphones, suffered from data exposure when a database was wide open and accessible. This exposure included the transactions and identity of users that purchased mSpy licenses over the last six months or logged into the mSpy website. This database includes millions of records, according to a security researcher that discovered the exposure.”
THE DARK SIDE OF mSPY
“mSpy allows parents to monitor children’s text messages, calls, current GPS location, Snapchat, WhatsApp, Facebook postings, and much more. The goal here is child safety. Of course, the open observation is that mSpy and similar products from other vendors may also be used without the company’s permission to spy on business partners, co-workers and others. This use of mSpy, if it happens, would, of course, be illegal.
Let us assume, for a second, that this data exposure included the key that you use to login and monitor your child’s mobile device. Given the data accessible, anyone that hacked the website would be able to see your child’s data and location. Frightening implications for any parent and inexcusable for any vendor.”
THE MORAL OF THE STORY
“Once again, the moral of the story is clear. The cloud creates opportunities for accidental exposure of data and new attack surfaces for cyber thieves to exploit. Depending on the year and measurement, anywhere from 10% to 35% of all data exposures and/or resultant data breaches in the cloud are likely caused by misconfiguration. Recently we have seen a barrage of cloud services and SaaS application breaches caused by misconfiguration and human error.
Assuming these errors will happen, it is imperative that all data be kept in an encrypted format when stored in the database (as in this breach), or in use and in motion through the network, API’s, etc. This end-to-end or Zero Trust encryption happens from the “edge” of the cloud. Data is protected at all times within the cloud. This enables the applications within the service, such as mSpy, to be secured by data encryption keys which are kept in different servers.”
