Comment: Peekaboo Moments Suffers Breach Leaving Thousands Of Baby Images And Videos Exposed

It has been reported that thousands of baby videos and images are being left unsecured and exposed to the internet by Peekaboo Moments, a mobile app. This is due to the app’s developer, Bithouse Inc., leaving an Elasticsearch database open on the internet.

Subscribe
Notify of
guest

2 Expert Comments
Most Voted
Newest Oldest
Inline Feedbacks
View all comments
Winston Bond
Winston Bond , EMEA Technical Director
InfoSec Expert
January 15, 2020 10:55 am

Data on mobile devices is stored predominantly in apps so it is paramount that organisations understand just how important it is to secure their apps in order to keep their customers’ data safe and secure. It astounds me that I still have to reiterate the need to do this, particularly when it is children’s data that is being left exposed.

This breach is a great example of extracting a web API from a mobile app and then using it to extract data. It shows exactly why app developers should harden their apps against reverse engineering and use integrity checks to make sure that the app is what it is supposed to be. Exposing a database through a web API is obviously insecure so it begs the question, why are companies still doing it?

Last edited 2 years ago by Winston Bond
Hugo Van den Toorn
Hugo Van den Toorn , Manager, Offensive Security
InfoSec Expert
January 15, 2020 10:50 am

Unfortunately, this is yet another Elastic Database that is open to the public, which has nothing to do with the product itself, but purely with how the vendor has decided to set up their infrastructure and deploy their software. With the countless possibilities of ‘quickly deploying a system in the cloud’, security is -still- often overlooked by organisations. As datasets grow to these sizes and contain this sensitive information, data is becoming increasingly valuable to our business and in some cases even more valuable than money. Unfortunately, not everyone protects (your) data like the valuable asset it is. Even after vendors make statements such as ‘we take your security and privacy serious’, we often see security ending-up somewhere on the bottom of the priority list… Assuming it made the priority list at all.

Last edited 2 years ago by Hugo Van den Toorn
Information Security Buzz
2
0
Would love your thoughts, please comment.x
()
x