The True social media mobile app that prides itself on protecting user privacy had a security lapse that left their servers exposed to the public. The spilled private data were left for anyone on the internet to read.
The social media mobile app was launched in 2017 by Hello Mobile, a small virtual cell carrier that uses T-Mobile’s network. On True’s website, it is mention that they have raised $14 million via venture capitalist and have stated to have accumulated more than 500 thousand users later after its product launch.
The exposed private data were discovered when a dashboard for an app’s databases was left exposed to the internet without requiring any authentication or password. This allowed anyone to browse, filter, read, and search the database contents that include the users’ private data.
A cybersecurity researcher has found the unsecured dashboard, and the data was provided by BinaryEdge. A search engine specializing in publicly accessible and unsecured databases revealed that the dashboard was publicly available since September of this year. True have been contacted and notified of the exposed data, and they had taken the dashboard offline.
The security lapse was confirmed by Bret Cox, the Chief executive of True.
The exposed data contained daily server and system logs dating from February, including a user’s registered email address, phone number, contents, private post, and messages among users. The last known geolocation of the user tells where the user is had been. The logs also exposed the phone contacts and emails uploaded by the users, which the social media app uses to match with known friends within the app.
The True social media app data that got exposed were unencrypted.
The researchers have confirmed that the leaking database from the exposed dashboard was from actual users by creating test accounts and providing information that the creator would know, such as the phone number used to verify the created account.
Aside from user data, account access tokens were also leaking, which can be used to hack and hijack the said user account. An account access token looks like a line of random alphanumeric characters that would keep users logged in the app without entering login credentials. The researchers then used the account access token to log in to the test account and post on the feeds.
This is an excellent example of how misconfiguration and mistakes can happen in any company and organization, highlighting the importance of ensuring any application build.