OyeTalk was leaking unencrypted data through unprotected access to Firebase, Google’s mobile application development platform that provides cloud-hosted database services.
A popular Android voice chat app, OyeTalk, has leaked private user data, including their unencrypted chats, usernames, and cellphone International Mobile Equipment Identity (IMEI) numbers.
With over five million downloads on Google Play, the app has compromised the privacy of all its users while simultaneously exposing them to malicious threats.
OyeTalk was leaking data through unprotected access to Firebase, Google’s mobile application development platform that provides cloud-hosted database services.
The researchers warned that malicious actors could have deleted the dataset, resulting in a permanent loss of users’ private messages, if the leaked data had not been backed up.
According to the Cyber News blog post, Despite being informed of the data spill, the app developers failed to close off public access to the database. Google’s security measures had to step in, since the spill got too big, to close off the database.
This isn’t all. The developers also carelessly left sensitive information hardcoded in the application’s client-side, including a Google API (application programming interface) key and links to Google storage buckets. The exploitation of this security practice in the past has resulted in data loss or a complete takeover of user data stored on open Firebase or other storage systems.
It turns out, this was not the first occurrence of a data leak affecting OyeTalk. The researchers found that the database had been discovered and marked as vulnerable by unknown actors, likely with no malicious intent. The database contained specific fingerprints used to mark open Firebases, known as “Proof of Compromise” (PoC) and Evidence of Compromise (EoC) or Indicator of Compromise (IOC).
The repercussions of a data leak like the one that occurred with the OyeTalk voice chat app can be severe and far-reaching. First and foremost, the personal information of users can be compromised, leaving them vulnerable to scams.
Furthermore, the leak of personal data can also have a negative impact on the reputation of the app and the company behind it. Users may lose trust in the app and its ability to protect their data, leading to a decline in its user base and revenue. This can also result in legal consequences for the company, as they may face lawsuits and fines for violating data privacy laws.
Overall, the OyeTalk data leak can have significant and lasting consequences for users, the app and its company, and society at large. It underscores the importance of robust data protection measures and responsible handling of personal information and highlights the need for ongoing vigilance in the face of ever-evolving cybersecurity threats.