Expert Insights: Faith App Exposes Millions Through Cloud Misconfiguration

By   ISBuzz Team
Writer , Information Security Buzz | Nov 23, 2020 05:28 am PST

A popular Christian faith app has unwittingly exposed the personal data of up to 10 million users dating back several years, after misconfiguring its cloud infrastructure, researchers have warned. Santa Monica-headquartered claims to be the “#1 App for daily prayer and biblical audio content” and has been downloaded over a million times from the Play Store. Researchers at vpnMentor discovered four misconfigured AWS S3 buckets belonging to the company. Although it had made private around 80,000 files, it failed to replicate these security measures on its Cloudfront CDN, which also had access to the files. This means a hacker could have compromised personal information on as many as 10 million people, most of whom were not even users.

Notify of
2 Expert Comments
Oldest Most Voted
Inline Feedbacks
View all comments
Martin Jartelius
November 23, 2020 1:35 pm

The new twist here is the fact that the access was through the CDN and not directly to the object storage. The fact remains that in regards to data theft and insecure information sharing, most is never detected at all and hence do not enter into the statistics. The reason insecure cloud configurations are sailing up to gain attention is that while they are far from the most frequent, they are amongst the biggest incidents. Loss of confidentiality of a laptop or file versus a cloud-based database – It is to an extent the difference between losing your wallet or losing your bank account.

Last edited 3 years ago by Martin Jartelius
Trevor Morgan
Trevor Morgan , Product Manager
November 23, 2020 1:30 pm

The unintentional but unfortunate exposure of personal data for which is responsible for care-taking should remind every organization to rethink their data security for cloud-based applications and storage. The assumption that cloud providers take care of every aspect of security for their enterprise customers is a faulty one—each organization bears the responsibility to provide an adequate level of data protection for information they process or store in their cloud repositories. Because data within the cloud is frequently in motion, more traditional perimeter-based mechanisms can fall far short of effective. Organizations should consider data-centric protection methods such as tokenization and format-preserving encryption because they travel with the data while still obfuscating the sensitive information being protected. If protected sensitive data falls into the wrong hands, threat actors cannot compromise the tokenized or encrypted information.

Last edited 3 years ago by Trevor Morgan

Recent Posts

Would love your thoughts, please comment.x