Misconfigured cloud database of several dating apps exposed private conversations and other personal information publicly
Researchers from WizCase cybersecurity team have identified five dating app services that are leaking the database of registered users continuously due to the faulty configuration of cloud databases and unprotected ElasticSearch. Million registered users should be worried about personally identifiable information, including real names, telephone numbers, email addresses, private conversations, dating preferences, billing addresses, and other details being accessible online.
According to the researchers, the dating service apps hosted by CathiolicSingles.com, SPYKX.com, YESTIKI.com, Blurry dating app, charincharin.net (or kyuun-kyuun.com) have been found inappropriately protecting users' data. Three of the apps are registered in the USA, one in South Kore, and one in Japan.
The service administrators of the affected servers have been notified about the dating app data breach and are expected to patch the inconsistencies. In the case of ignorance, after the next investigation aiming at helping companies to ensure data security (as in this case), WizCase provides the information about the misconduct to the appropriate authorities for further investigation as in the case of Heyyo mobile dating app. The latter has been banned after notifying the authorities about severe privacy violations and privacy infringement due to the negligence.
Both PII and partial PII have been disclosed. Whose to be blamed?
According to the Avishai Efrat, the head of the current WizCase research, the dating service database leak happened due to the unprotected Elasticsearch servers, MongoDB databases, and AWS buckets. The servers, databases, and buckets have been left unprotected, no password has been created to prevent Personally Identifiable Information (PII) of the registered users.
So whose to blame? It's a fact that admins are responsible for the endurance of proper data protection and encryption. However, there may be various diverse reasons to explain the failure of the CathiolicSingles, SPYKX, YESTIKI, Blurry dating, and CharinCharin app admins.
A CEO of security awareness at the Lucy Security, Colin Bastable points out, the massive data leaks on romance-seeker apps is very likely to happen because of admins' focus on making the apps user-friendly putting aside the security measures:
[…]the front end UI is often secured with authentication, but admins forget that the default port 9200 is also visible and accessible online, meaning that unprotected ElasticSearch databases can leak data via the backdoor. Having built the database, the developers probably forgot all about patching it, focusing on the front end’s ease-of-use to drive user engagement and subscriber growth. Or perhaps the original architect is no longer employed. Regardless – they dropped the ball.
The dating apps that fail to ensure data protection should be considered harmful due to the sensitive nature of the stored information
Dating services are supposed to add an additional layer of security to ensure granted data protection. Otherwise, they should be considered as dangerous and posing users' risk of their data being exposed to the public. The reason for that is simple – the sensitive nature of the information. It's not surprising that romance seekers tend to disclose compromising information when creating their accounts, showing off more intriguing photos, and having spicy discussions in private conversations.
As for this massive data leaks revealed in the USA, South Korea, and Japan dating apps, cybercriminals or tech-savvy people can easily get millions of records about the app users, including their conversations, browsing data, pictures, email address, telephone numbers and other. In total, the amounts of disclosed data are the following:
1. CatholicSingles.com — USA — 50,000 entries detailing real names, billing addresses, email addresses, and other private user data.
2. SPYKX.com — South Korea — Approx. 3.7k user profiles and ~120k GPS data entries.
3. YESTIKI.com — USA — Approx. 4.3k entries with user information, activity logs, and more.
4. Blurry dating app — USA — Approx. 77k private user messages exposed.
5. Charincharin.net and kyuun-kyuun.com — Japan — Approx. 102 million entries including email addresses, mobile device info, and search preferences.
According to the researchers, the CatholicSingles app based on the Amazon bucket was found to disclose a 17MB database consisting of over 50,000 records. Names, billing addresses, phone numbers, age, gender, occupation, education, full names, email addresses were left accessible online.
The YESTIKI, the US-based dating app has been leaking 352MB user records consisting of 4300 unique leaks that give away information about user's names, addresses, geolocations, activity logs, and Foursquare secret key IDs.
The SPYKX dating app leak in South Korea was found leaking unencrypted passwords, phone numbers, age, gender, education, geolocation, and email addresses – 600MB or 123,000 records in total.
Approximately 3777MB of personal data consisting of 70,000 user records giving away private conversations. According to the researchers, the dating app ElasticSearch server is not protected properly leaving the records easily accessible.
However, the Japanese based apps dubbed Charin and Kyuun are leaking the record amount of data. Over 100 million records were found leaking via unencrypted ElasticSearch database.