A popular Christian faith app has unwittingly exposed the personal data of up to 10 million users dating back several years, after misconfiguring its cloud infrastructure, researchers have warned. Santa Monica-headquartered Pray.com claims to be the “#1 App for daily prayer and biblical audio content” and has been downloaded over a million times from the Play Store. Researchers at vpnMentor discovered four misconfigured AWS S3 buckets belonging to the company. Although it had made private around 80,000 files, it failed to replicate these security measures on its Cloudfront CDN, which also had access to the files. This means a hacker could have compromised personal information on as many as 10 million people, most of whom were not even Pray.com users.
The new twist here is the fact that the access was through the CDN and not directly to the object storage. The fact remains that in regards to data theft and insecure information sharing, most is never detected at all and hence do not enter into the statistics. The reason insecure cloud configurations are sailing up to gain attention is that while they are far from the most frequent, they are amongst the biggest incidents. Loss of confidentiality of a laptop or file versus a cloud-based database – It is to an extent the difference between losing your wallet or losing your bank account.
The unintentional but unfortunate exposure of personal data for which Pray.com is responsible for care-taking should remind every organization to rethink their data security for cloud-based applications and storage. The assumption that cloud providers take care of every aspect of security for their enterprise customers is a faulty one—each organization bears the responsibility to provide an adequate level of data protection for information they process or store in their cloud repositories. Because data within the cloud is frequently in motion, more traditional perimeter-based mechanisms can fall far short of effective. Organizations should consider data-centric protection methods such as tokenization and format-preserving encryption because they travel with the data while still obfuscating the sensitive information being protected. If protected sensitive data falls into the wrong hands, threat actors cannot compromise the tokenized or encrypted information.