The app in the discussion is the Aspire News App which, among other data, also leaked victims’ voice recordings asking for help against their abuser.
Data breaches for long have been a problem for companies that store user data. At various times, this has resulted in highly confidential data being leaked harming the reputation of the firm involved.
One such incident has emerged again when the “Aspire News App” for Android developed by a US-based non-profit suffered a data breach as reported by researchers from vpnMentor.
The app provides news stories sourced from Yahoo and is focused on helping domestic violence victims by allowing them to make timely distress calls which are sent with the help of voice recordings accompanied by details including the following:
- User address
- Nature of emergency
- Current location
- Other critical information
Naturally, all of this data also needs to be stored somewhere, the answer for which is a database, an Amazon Web Services (AWS) S3 bucket in this case. However, due to configuration security errors, the database was breached resulting in the loss of 4000 voice recordings ranging from September 2017 till now which could be viewed and download by anyone in the open.
This led to personally identifiable information being leaked of some if not all the victims which include their names, addresses, and even the names of the abusers (good riddance). Examples from a couple of transcripts obtained of these recordings are as follows:
Commenting further on their nature, vpnMentor stated in their blog post that,
The samples we listened to appeared to be pre-recorded, most likely when a victim had only a few minutes alone and needed to record and save a distress message quickly. They could then instantly send the saved message to an emergency contact any time they felt in danger, by pressing a button on the app.
Luckily when this entire ordeal was discovered on 24 June, the researchers alerted both Amazon and the company resulting in the data being secured on the very same day. However, it does present serious repercussions, regardless, considering that it takes away the much-needed anonymity that the victims would have consciously chosen and also represents a blow to champions of human rights.
Moreover, for many people in danger especially due to the ongoing pandemic, it could discourage potential victims from resorting to such handy apps.
To conclude, future measures that Aspire could take is to ensure an internal or external team is constantly evaluating its cybersecurity.
Additionally, in the context of AWS S3, proper authentication protocols need to be used along with encrypting all the data to make it useless even if any malicious actor does gain access.