BreachExchange mailing list archives
The Danger of Apps that Die
From: inga () riskbasedsecurity com (Inga Goddijn)
Date: Thu, 17 Mar 2016 15:03:50 -0500
https://mackeeper.com/blog/post/197-the-danger-of-apps-that-die Post-mortem breaches can be just as harmful as live production leaks⦠at least for these 198,000 people. About three years ago there was an iPhone app named Kinotopic. According to their website, which is still up, âKinotopic allows you to create, share, and store short video moments and make them more expressive â in the form of animated pictures and cinemagraphs.â Past users of Kinotopic may be interested to learn that there is currently a MongoDB database that appears to belong to Kinotopic sitting out on the open internet with no protection whatsoever. This derelict MongoDB instance contains, among other things, the email addresses, usernames, and hashed passwords for, what appear to be, over 198,000 previous Kinotopic users. I have tried to get in touch with the Kinotopic developers in several ways. All were unsuccessful. For example, the email address given on their website for help and support is help at kinotopic.com. But good luck trying to send anything to that email address. It will bounce almost immediately. Also, I had fun trying to contact Apple about the issue. I figured that Apple might have some way to contact the developers of a prior iPhone app. After all, doesnât it make Apple look bad if an app, that had gained Appleâs official seal of approval, then later exposes its user database to the entire world? When I contacted Apple, they had this to say via email: *âChris, if you believe that this issue affects the security of an iOS device or the iTunes Store, you may report it to product-security at apple.com <product-security at apple.com>. [â¦]* *On the other hand, if this security issue only affects the application itself, Iâm afraid you will need to continue getting in touch with the app developer for assistance.â* When that response came back from Apple they already knew that I had hit a dead-end trying to contact the Kinotopic developers. I was expecting a little more assistance in tracking down the makers of this software that was, until recently, officially supported and offered in the iPhone App Store. So, hereâs where Iâm at: If anyone reading this post knows of a way to get in contact with the Kinotopic developers (or their database administrators), please drop me a line at cvickery at kromtech.com. Once Iâm confident that they are the proper people to speak with, I can provide the exact IP address and port number of the exposed database. A semi-redacted overview screenshot of the database should be visible above this post. If that is your database, I want to talk with you. And to anyone that may have used Kinotopic in the pastâ Itâs probably time to cycle in some new passwords to your mix. From: *MacKeeper Security Researcher: Chris Vickery. * -------------- next part -------------- An HTML attachment was scrubbed... URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20160317/a58f63b2/attachment.html>
Current thread:
- The Danger of Apps that Die Inga Goddijn (Mar 17)