OyeTalk, which describes itself as a social audio platform with over 5 million downloads on Google Play Store, left its database open to the public exposing users’ private data and conversations, a report from cybernews shared.
Data was found to be leaking through unprotected access to Firebase, Google’s mobile application development platform. It is used to provide cloud-hosted database services.
More than 500MB of data comprising unencrypted users chats, usernames and cell phone International Mobile Equipment (IMEI) numbers was exposed.
Additionally, sensitive hardcoded data on the client side of the app including Google API (application programming interface), which is unsafe as it can be easily accessed through reverse engineering, was also reported.
(For top technology news of the day, subscribe to our tech newsletter Today’s Cache)
The practice of hardcoding data on the client side has in the past led to successful exploitation by threat actors.
And though the app developers failed to close public access when informed of the leak, since Google’s security measures do not allow large datasets to be downloaded in on go, the leak was stopped from its end, the report shared.
The recent data leak is not the first to affect OyeTalk app, and its database was previously discovered and marked as vulnerable to leaks by unknown actors.
The database contained specific fingerprints used to make open Firebases, which demonstrates that the database lacks proper authentication for viewing data and authorisation for inserting or editing existing data, the report shared.
Earlier, last month, an Android role-playing game, Guidus, leaked data of some 100,000 users due to similar vulnerabilities in how it was storing data. A similar vulnerability was also reported in Tap Busters: Bounty Hunter, another Android role-playing game app.
Published - February 22, 2023 04:02 pm IST
