This story reminds us that every time we download an app we are enlarging our surface of attack, in the majority of cases we are not aware of exact amount of data they collect and how they use them
A group of researchers at the Kromtech Security Center has discovered online a huge trove of personal data belonging to more than 31 million users of the popular virtual keyboard app, AI.type.
The data was included in a MongoDB database that has been accidentally exposed online without any mechanism of protection.
“The Kromtech Security Center has discovered a massive amount of customer files leaked online and publically available. Researchers were able to access the data and details of 31,293,959 users.” states the post published by Kromtech Security.
“The misconfigured MongoDB database appears to belong to Ai.Type a Tel Aviv-based startup that designs and develops a personalized keyboard for mobile phones and tablets for both Android and iOS devices.”
The misconfigured MongoDB database exposed 577 GB of data online, the records include sensitive details on the users, and the worst thing is that such data was not even necessary for the app to work. Researchers highlighted the fact that the Ai.Type request “Full Access” to all data stored on the mobile devices.
“When researchers installed Ai.Type they were shocked to discover that users must allow “Full Access” to all of their data stored on the testng iPhone, including all keyboard data past and present. It raises the question of why would a keyboard and emoji application need to gather the entire data of the user’s phone or tablet?” continues the post.
“Based on the leaked database they appear to collect everything from contacts to keystrokes. This is a shocking amount of information on their users who assume they are getting a simple keyboard application.”
The leaked data includes:
The researcher made another shocking discovery, the 6,435,813 records contained data collected by the app from users’ contact books. The leaked database included more than 373 million records scraped from registered users’ phones, which include all their contacts saved/synced on linked Google account.
The archive also includes a range of statistics.
“There was a range of other statistics like the most popular users’ Google queries for different regions. Data like average messages per day, words per message, the age of users, words_per_day’: 0.0, ‘word_per_session and a detailed look at their customers,” the researchers say.
The real question is, “why would like a keyboard, and emoji application need to gather the entire data of the user’s phone or tablet?”
(Security Affairs – Google Unwanted Software Policy, privacy)