Friday, 21 September, 2018

Data-slurping keyboard app makes Mongo mistake with user data

Data-slurping keyboard app makes Mongo mistake with user data Data-slurping keyboard app makes Mongo mistake with user data
Sherri Watson | 06 December, 2017, 16:53

The personal data of over 31 million customers has been leaked online after the developers of popular virtual keyboard app, AI.type failed to secure the server that housed the database containing all of the user information their software had collected.

Security experts from Kromtech Security Center who discovered the breach said the company's database wasn't secure with a password, meaning the data was easily accessible to hackers and anyone else who may have inadvertently stumbled across it. Eventually the data contained on the server was secured and AI.type acknowledged that a security breach had occurred over the past weekend.

The leaked information reportedly includes phone number, full name of the owner, device name and model, mobile network name, SMS number, screen resolution, user languages enabled, Android version, IMSI number (international mobile subscriber identity used for interconnection), IMEI number (a unique number given to every single mobile phone), emails associated with the phone, country of residence, links and the information associated with the social media profiles (birthdate, title, emails etc.) and photo (links to Google+, Facebook etc.), IP (if available) and location details (long/lat). The app has a free version, which per its privacy policy collects more data than the paid version, which the company uses to monetize with advertising.

Several tables contained lists of each app installed on a user's device, such as banking apps and dating apps. The text records showed potentially sensitive information typed by users, including phone numbers, web search terms, and login credentials. One of the leaked database tables includes 10.7 million email addresses from contact data.

"There is no sensitive data there, we are not collecting\storing \sending any password or credit card information", he said.

Sadly these days there is no such thing as free, often our price is data upload, some of course is necessary for the app to do its job but more often than not it's simply not the case.

For its part, AI.type says on its website that user's privacy "is our main concern". We also found evidence that text entered on the keyboard does get recorded and stored by the company, though to what extent remains unclear. It also slurped 373 million names and phone numbers from the contacts of over six million users.

But Fitusi's claims are very much at odds with the findings of the Kromtech Security Center. At this point, Kromtech warns that anyone who had ever downloaded and installed ai.type keyboard should consider their data out in the open.

"This presents a real danger for cyber criminals who could commit fraud or scams using such detailed information about the user", he added.

"It is clear that data is valuable and everyone wants access to it for different reasons", he said.

Ai.type uses artificial intelligence to help users type faster and more accurately.