Researchers who uncovered a data exposure from mobile app Whisper earlier this week have released more details about the incident.
Whisper is an app from MediaLab, a mobile app company that owns a host of other apps including the popular messaging service Kik. It offers a kind of anonymous social network service that allows people to post their innermost fears and desires, supposedly without risk.
Its users post everything from dark family secrets to stories of infidelity. It gathers these up and uses them for articles on its website, including “Naughty Nannies Confess To Sleeping With The Fathers They Work For”, “Alcoholism Runs In My Family”, and “I Married The Wrong Person”.
The problem, according to researcher Dan Ehrlich of cybersecurity consultancy Twelve Security, is that Whisper didn’t steward that data very well. He says that he and his colleague Matthew Porter accessed 900m records in a 5 TB database spanning 75 different servers, logged between the app’s release in 2012 and the present day. The data was stored in plain text on ElasticSearch servers and included 90 metadata points per account.
The Washington Post broke the story about the app on Monday 10 March, having worked with the researchers.
The records didn’t include real names, but did divulge their stated age, gender, ethnicity, home town, and nickname, the story said, adding that it also divulged access to groups that included intimate confessions.
Ehrlich has since followed this up with the first two of a planned five-blog series going into more depth and is dropping more details about the alleged exposure. He said:
… one has the geocoordinates of nearly every place they’ve visited, and the ability to log into their account with their password/credentials. Depending on when the account was created and how much the user engaged with the app, dozens and dozens of fields of metadata can be reviewed.
These amounted to 90 data points including some bizarre ones, according to Ehrlich’s posts, such as predator_probability
and banned_from_high_schools
. He added:
Sexual fetish groups, suicide groups, and hate group membership of users can all be seen. Whether or not a user is a predator, if they are banned from posting near high schools, and their private messages can all be viewed.
Worst of all perhaps is the disclosure of the exact coordinates of a user’s most recent post. This not only affects children posting highly sensitive information from schools but also service members on military bases and in US embassies around the world, they warned.
A MediaLab spokesperson responded:
[…] no personally identifiable data was exposed as Whisper does not collect any PII such as names, phone numbers or email addresses. The referenced data is all accessible to users from public API’s [sic] exposed within the app. The data is a consumer-facing feature of the application which users can choose to share or not share depending on which features of the application they wish to utilise.
Beratung Consulting are dedicated to Security solutions and are a trusted Sophos Partner.