Thousands of PhotoSquared Users Are Facing a Data Breach
As some of you may know by now, Noam Rotem and Ran Locar lead a team of researchers at VPN Mentor that is tasked with a large-scale web mapping project designed to uncover and secure poorly protected databases that leak sensitive information. Over the last few months, they have reported a number of massive data breaches and have really shown how often companies don't do enough to protect users' data. Rotem and Locar have admitted that finding out who is leaking the information often requires days of investigation and a lot of hard work. With their most recent discovery, however, this was not the case.
During a port scanning session, Rotem and Locar's team discovered an AWS S3 bucket that was publicly accessible and not protected by a password. It held just under 95GB of data, and the name of its owner was available in the URL – PhotoSquared.
What is PhotoSquared?
You stand a better chance of understanding the scope of the leak if you know what PhotoSquared does. It wants to be one of the 21st century's answers to the photo developer's shop. Instead of going into a physical location and manually handing over the photos that you want in printed form, you simply use the mobile app to choose your favorite snaps from your camera roll or social media feeds. An online payment later, PhotoSquared prints your photos on 8" x 8" boards and posts them back to your address. It sounds very convenient, which is probably why more than 100 thousand people have downloaded the app from Google Play. The business model does mean, however, that someone, somewhere, is tasked with handling the personal details and favorite pictures of a large number of users. Sadly, that someone didn't do a very good job.
A misconfigured S3 bucket leaks the photos and personal information of hundreds of thousands of users
The size of the database was a pretty good giveaway as to what it contained. When they opened it, Noam Rotem and Ran Locar found about 1 million records that included:
- Users' photos prepared for editing and printing
- Order records and receipts saved as PDF documents
- Labels and shipping information
- Users' names
- Home and delivery addresses
It's difficult to say how many people are affected by the leak, but the researchers pointed out that the information in the database was collected between November 2016 and January 2020, which is a significant time span. As the experts also noted, the potential repercussions are quite scary.
A combination of private photos and personal information (including home addresses) could give a potential burglar a pretty good insight into their target's life. In addition to this, the leaked details can act as a starting point for additional reconnaissance and further criminal activity.
Rotem and Locar discovered the unprotected bucket on January 30 and reached out to the app's developer on February 4. It took PhotoSquared ten full days to secure the database, but thankfully, it's now offline. There's no evidence of anyone abusing the exposed data, which means that we can do little more than hope that everyone has learned their lessons.
The incident is the next in a very long line of grim reminders that although apps like PhotoSquared bring a healthy dose of convenience and novelty to our lives, using them often means trusting them with quite a lot of extremely sensitive personal information. This is something we should probably bear in mind before we hit the Install button.
The breach should also remind the developers of these apps that handling the data of hundreds of thousands of people is a huge responsibility. Simple misconfiguration mistakes like the one PhotoSquared made should be completely intolerable.