Wondering What Happens to the Apps After They Die? They Keep Exposing User Data
A now-defunct iOS app has resulted in leaking data of over 198,000 users of the app. Users have started caring about how a certain app accesses and stores their data, but what happens to the data when a certain app dies seems to be even more dangerous.
“Post-mortem breaches can be just as harmful as live production leaks”
An iOS app named Kinotopic allowed users to create and share animated pictures and cinemagraphs. The app discontinued in 2013, however, its database storing user info wasn’t deleted.
Kinotopic iOS app leaks data of its 198,000 users
According a researcher, a MongoDB database connected to the app is available “on the open internet with no protection whatsoever.” The database contains usernames, email addresses, hashed passwords, and other data belonging to over 198,000 Kinotopic users.
This misconfigured MongoDB database associated with the app was discovered by Chris Vickery, a security researcher. Vickery discovered the unprotected database during a regular review of search results on the Shodan search engine. He claims that since it’s easier to access, the database could have already been found by others. Writing in an email to SecurityWeek, Vickery said, “I would say there’s a good chance someone else has already found it. I’d put the odds at about 80% – 90% chance it’s already been found and plundered, especially with all the news MongoDB databases have been making recently.”
After failing to reach out to the app’s creators, Vickery also tried contacting Apple to get their help in reaching the developers.
I figured that Apple might have some way to contact the developers of a prior iPhone app. After all, doesn’t it make Apple look bad if an app, that had gained Apple’s official seal of approval, then later exposes its user database to the entire world?
When I contacted Apple, they had this to say via email:
“Chris, if you believe that this issue affects the security of an iOS device or the iTunes Store, you may report it to firstname.lastname@example.org. […]
On the other hand, if this security issue only affects the application itself, I’m afraid you will need to continue getting in touch with the app developer for assistance.”
[…] I was expecting a little more assistance in tracking down the makers of this software that was, until recently, officially supported and offered in the iPhone App Store.
MacKeeper‘s researcher has now made his findings public and is asking for help if anyone knows the developers or database administrators of the app.
If you were a user of the Kinotopic iOS app and you use the same password for multiple accounts (try not to, please!), it’s time to change your passwords.