It has been reported that thousands of baby videos and images are being left unsecured and exposed to the internet by Peekaboo Moments, a mobile app. This is due to the app’s developer, Bithouse Inc., leaving an Elasticsearch
Baby's First Data Breach: App Exposes Baby Photos, Videos: Peekaboo Moments Hasn't Responded to Warning That It's Exposing Personal Content A baby photo and video-sharing app called Peekaboo Moments is exposing sensitive logs through an exposed… https://t.co/pfv9BKCLuD pic.twitter.com/jYFUo8Gx9T
— Shah Sheikh (@shah_sheikh) January 14, 2020
Data on mobile devices is stored predominantly in apps so it is paramount that organisations understand just how important it is to secure their apps in order to keep their customers’ data safe and secure. It astounds me that I still have to reiterate the need to do this, particularly when it is children’s data that is being left exposed.
This breach is a great example of extracting a web API from a mobile app and then using it to extract data. It shows exactly why app developers should harden their apps against reverse engineering and use integrity checks to make sure that the app is what it is supposed to be. Exposing a database through a web API is obviously insecure so it begs the question, why are companies still doing it?
Unfortunately, this is yet another Elastic Database that is open to the public, which has nothing to do with the product itself, but purely with how the vendor has decided to set up their infrastructure and deploy their software. With the countless possibilities of ‘quickly deploying a system in the cloud’, security is -still- often overlooked by organisations. As datasets grow to these sizes and contain this sensitive information, data is becoming increasingly valuable to our business and in some cases even more valuable than money. Unfortunately, not everyone protects (your) data like the valuable asset it is. Even after vendors make statements such as ‘we take your security and privacy serious’, we often see security ending-up somewhere on the bottom of the priority list… Assuming it made the priority list at all.