Click For Photo: https://techcrunch.com/wp-content/uploads/2018/12/GettyImages-994787208.jpg?w=600
Popular animated avatar creator app Boomoji, with more than five million users across the world, exposed the personal data of its entire user base after it failed to put passwords on two of its internet-facing databases.
The China-based app developer left the ElasticSearch databases online without passwords — a U.S.-based database for its international customers; and a Hong Kong-based database containing mostly Chinese users’ data in an effort to comply with China’s data security laws, which requires Chinese citizens’ data to be located on servers inside the country.
Anyone - Access - Edit - Database - Web
Anyone who knew where to look could access, edit or delete the database using their web browser. And, because the database was listed on Shodan, a search engine for exposed devices and databases, they was easily found with a few keywords.
After TechCrunch reached out, Boomoji pulled the two databases offline. “These two accounts were made by us for testing purposes,” said an unnamed Boomoji spokesperson in an email.
But that isn’t true.
The database contained records on all of the company’s iOS and Android users — some 5.3 million users as of this week. Each record contained their username, gender, country, and phone type.
Record - User - Boomoji - ID - Tables
Each record also included a user’s unique Boomoji ID, which was linked to other tables in the database. Those other tables included if and which school they go to — a feature Boomoji touts as a way for users to get in touch with their fellow students. That unique ID also included the precise geolocation of more than 375,000 users that had allowed the app to know their location at any given time.
Worse, the database contained every phone book entry of every user who had allowed the app access to their contacts.
Table - Contacts - Names - User - Phone
One table had more than 125 million contacts, including their names (as written in a user’s phone book) and their phone number....
Wake Up To Breaking News!