True, a privacy-oriented social media app owned by US mobile carrier Hello Mobile, leaked personal details of tens of thousands of users by failing to secure a dashboard that contained email addresses and phone numbers of users as well as their private chats, private posts, and last-known geolocation.
The social sharing app was released on the App Store and the Google Play Store in November 2017 and by early 2018, True raised around $18 million after notching up more than half a million users worldwide. The app brands itself as a perfect platform that lets people connect and stay in touch with others and has no place for news or political arguments or 24/7 advertisements.
“Respect for privacy and control are cornerstones of the user experience at True. Powerful controls like Grouping and sharing to different followers in different ways provide an unprecedented level of control, allowing users to be sure how they share and who sees their posts.
“Big social media companies are not social anymore. They’re an advertising business and you are the product they sell in the business. We don’t spy on you, read your cookies, or follow you around the internet. You own your data, forever, and we’ll never sell or share it with anyone. We stay out of your business. You are not our product,” True says.
Earlier this month, Mossab Hussein, the chief security officer at Dubai-based cybersecurity firm SpiderSilk, told Tech Crunch that he discovered a dashboard associated with one of True’s databases that was not secured with a password, thereby enabling anyone with an Internet connection to view data stored in the exposed database.
Hussein said the dashboard contained daily server logs dating back to February that included the email addresses or phone numbers of registered users, their private chats, private posts, their last-known geolocation, as well as email and phone contacts uploaded by users, none of which was encrypted.
The logs also contained account access tokens that allow users to stay logged in without having their enter their passwords. However, if cyber criminals gain access to these tokens, they can easily hijack user accounts and view private posts, photos, and other details added to their profiles.
Commenting on the exposure of user records by True, Hugo van den Toorn, manager of offensive security at Outpost24, said if a privacy-minded social platform such as True is advertising itself as being focused on privacy this inevitably means the security should also be high on their priority list because breaches of social platforms will likely have a direct impact on the privacy of its users.
“Leaving an administrative interface exposed, accessible to anyone on the Internet without requiring any form of authentication, unfortunately, is close to being negligent in terms of security. This should have been noticed by conducting a penetration test or even earlier in True’s lifecycle by the developers or the network administrators who deployed this interface,” he added.
According to Keith Neilson, Technical Evangelist at CloudSphere, a missing password is often the result of a lack of awareness of the constantly changing cloud environment, and without the proper guardrails to remediate oversights in security, any change in policy can leave a database exposed and put sensitive information in danger of being used for targeted phishing campaigns or sold on the dark web.
“Platforms that provide a holistic view into the cloud landscape ensure businesses can stay apprised of all changes and avoid devastating misconfigurations putting customers at risk,” he added.