Kinomap Is the Latest App to Leak Information Due to Terrible Database Management
Living through the coronavirus pandemic and the lockdown it has forced upon us is not easy, but everyone who feels tempted to start complaining about it shouldn't forget that it could have been much worse. Thanks to technology, many things that previously required going out can now be done from the comfort of our own homes. Apps like Kinomap can even help us stay in shape without leaving the house, which is especially important given the current situation.
Unfortunately, the extra convenience brings about its own set of problems. Cybersecurity is one of them, and the sad fact of the matter is that we don't think that much about it. Researchers from vpnMentor showed us why we should try and pay more attention to it.
Kinomap left over 42 million records in an unprotected database
Led by Noam Rotem and Ran Locar, vpnMentor's research team came up with a web mapping project that scans blocks of IP addresses and finds connected devices that are not configured properly. The research has been going on for a while now, and it has resulted in the discovery and remediation of quite a few data leaks. The aforementioned Kinomap is the latest application to fall into the researchers' sights.
Last month, they discovered a 40GB database that wasn't protected by a password. A quick glance let the researchers know that they're looking at information gathered by Kinomap, and after a closer inspection, they realized that it contained the personal information of around 42 million users.
Although they can't be sure, vpnMentor's experts reckon that this might be Kinomap's entire userbase. The affected individuals are spread all around the world, and they need to be extra careful because their home workout app exposed quite a lot of information about them. Among the leaked details, the researchers found:
- Names
- Kinomap usernames
- Email addresses
- Home countries
The records also included telemetry information on how the app was used as well as links to individuals accounts. This, coupled with the data above, could give hackers the chance to organize a sophisticated phishing attack.
In some of the records, the experts found API keys, which would allow attackers to take over entire accounts.
Kinomap's developers are hardly the first people to misconfigure an internet-connected database, and they likely won't be the last. In such cases, it's important to see service providers and software vendors own up to their mistakes and try to learn from them. The people in charge of Kinomap, however, have taken a different approach.
Kinomap prefers not to comment on the misconfigured database
vpnMentor's experts first discovered Kinomap's misconfigured database on March 16, and a couple of days later, they tried to get in touch with the developer. After hearing nothing for just under two weeks, they made another attempt to disclose the leak on March 30. The researchers wanted to be sure that someone will fix the problem, which is why they also informed Commission nationale de l’informatique et des libertés (CNIL), a privacy regulator in France, the country where Kinomap's developers are located. On April 12, the database was finally pulled down, and the researchers think that this is likely due to CNIL's involvement.
When Sophos' Lisa Vaas got in touch with Kinomap, the app's developers finally responded. The company said that it fixed the vulnerability "immediately" after getting notified about it, which, as you can see, is in stark contrast to what the security experts reported. The institutions enforcing the EU's General Data Protection Regulation (GDPR) should decide whether Kinomap's creators' reaction was adequate.