Unfortunately, though the thought of the porn obsessed hypocrite getting, if you'll pardon the expression, exposed, the victims here (many of them minors) haven't helped suppress the Epstein files or turned a blind eye to war crimes or [too long a list to enumerate]. They just made the mistake of trusting a tech company with some of the most personal data imaginable.
Emanuel Maiberg writing for 404:
An app that purports to help people stop consuming pornography has exposed highly sensitive data, including its users’ masturbation habits. Some of the data exposed includes the users’ age, how often they masturbate, and how viewing pornography makes them feel. According to the data, many of them are minors.
An example of the personal data of one user said they were “14,” that their “frequency” of porn consumption was “several times a week,” with a maximum of three times a day, and that their “triggers” were “boredom” and “Sexual Urges.” This user was given a “dependence score” and listed their “symptoms” as “Feeling unmotivated, lack of ambition to pursue goals, difficulty concentrating, poor memory or ‘brain fog.’”
We’re not naming the app because the developer has not fixed the issue, which was discovered by an independent security researcher who asked to remain anonymous. The researcher first flagged the issue to the creator of the app in September. The creator of the app said he would fix the issue quickly, but didn’t. The issue is a misconfiguration in the app’s usage of the mobile app development platform Google Firebase, which by default makes it easy for anyone to make themselves an “authenticated” user who can access the app’s backend storage where in many instances user data is stored.
Overall, the researcher said he could access the information of more than 600,000 users of the porn quitting app, 100,000 of which identified as minors.
The app also invites users to write confessions about their habits. One of these read: “I just can't do this man I honestly don't know what to do know more, such a loser, I need serious help.”
When reached for comment by phone, the creator of the app told me he had talked to the researcher but that the app never exposed any user data because of a misconfigured Google Firebase, and that the researcher could have faked the data I reviewed.
“There is no sensitive information exposed, that's just not true,” the founder told me. “These users are not in my database, so, like, I just don't give this guy attention. I just think it's a bit of a joke.”
When I asked the founder why he previously thanked the researcher for responsibly disclosing the misconfiguration and said he would rush to fix it, he wished me a good day and hung up.
After the call, I created an account on the app, which the researcher was able to see appear in the misconfigured Google Firebase, showing that user information is still exposed.
This Google Firebase misconfiguration issue has been known and discussed by security researchers for years, and is still common today.
No comments:
Post a Comment