Voice chat app OyeTalk has been found leaking unencrypted user data due to misconfigurations in its mobile application development platform run by Google, according to Cybernews.
The OyeTalk app, advertised “as one of the fastest-growing audio talent-hosting applications,” is available in over 100 countries and has been downloaded more than 5 million times on Google Play.
“Researchers discovered that OyeTalk was leaking data through unprotected access to Firebase, Google's mobile application development platform that provides cloud-hosted database services,” the Cybernews report reads.
The open database exposed over 500MB of data, including unencrypted user chats, user names, cellphone International Mobile Equipment Identity (IMEI) numbers, and developer “secrets” that could lead to a complete takeover of user data.
“Along with an open Firebase instance, the developers left some sensitive information, commonly known as secrets, hardcoded in the application's client side, including Google API (application programming interface) key and links to Google storage buckets,” Cybernews researchers explained. “In the past, this sloppy security practice has been successfully exploited by threat actors in other apps, resulting in data loss or complete takeover of user data stored on open Firebases or other storage systems.”
The leak could have a severe impact on users’ security and privacy if malicious actors had accessed it before Google closed off the unsecure instance.
OyeTalk users could have been targeted by scams and risked permanent loss of private messages, while the exposed IMEI numbers may have led to owners becoming ransom victims.
“Using IMEI, law enforcement and threat actors can identify a device and the legal owner of the device. Spilling IMEI numbers on every message sent is a vast privacy intrusion, as the message is permanently associated with a specific device and its owner at the time. Threat actors could exploit it to impose ransom,” Cybernews added.
Want to stay on top of data breaches and leaks?
Specialized software such as Bitdefender Digital Identity Protection can keep your identity safe against data breaches with features including:
tags
Alina is a history buff passionate about cybersecurity and anything sci-fi, advocating Bitdefender technologies and solutions. She spends most of her time between her two feline friends and traveling.
View all postsDecember 19, 2024
November 14, 2024