A security lapse at the privacy-focused social networking app True exposed one of its servers, leading to private user data exposure.
It is quite ironic that a social networking app that proudly claims to protect user privacy has exposed hundreds of thousands of users’ sensitive data.
True social networking app, which was launched in 2017 by Hello Mobile, has suffered a massive data breach due to a configuration error that left one of its servers exposed.
The exposed data was not protected with a password and included sensitive details like private messages content.
Dubai-based security firm SpiderSilk reported that configuration error means anyone can access, read, and browse the leaked database since it isn’t password-protected or encrypted.
The chief security officer at SpiderSilk, Mossab Hussein, discovered the exposed database of True and shared its details with TechCrunch.
The exposed dashboard contained information dating back to February. It stored daily server logs, user’s registered phone number and email addresses, private posts’ contents, the users’ last known geolocation, and messages exchanged between users.
According to TechCrunch, it also exposed phone contacts and emails of the users’ contacts.
According to the information on BinaryEdge, a search engine that carries information on exposed devices and databases, the app’s dashboard was exposed since early September 2020.
TechCrunch created a test account and confirmed that the dashboard returned real user data, whereas Hussein stated that it was leaking account access tokens.
Hackers can use these tokens to hijack into a user’s account. Moreover, the dashboard exposed one-time login codes that True sends to the associated email address or phone number of an account, instead of storing passwords.
True has now taken the dashboard offline. The company’s chief executive Bret Cox, although confirmed the security lapse but didn’t provide crucial details on the incident. The company also didn’t confirm whether they plan to inform users about the lapse or inform the regulators as per the state’s data breach notification laws.
SpiderSilk’s conducted tests showed that the exposed data could be used to control accounts and post messages on the victim’s feed. But True claims that deleting an account will remove all the content from their servers. However, private messages, photos, and posts will still not be removed, Hussein told TechCrunch.