Connect with us

Android

Popular avatar app Boomoji exposed millions of users’ contact lists and location data

Judhajeet Das

Published

on

Popular animated avatar creator app Boomoji, with more than five million users across the world, exposed the personal data of its entire user base after it failed to put passwords on two of its internet-facing databases.

The China-based app developer left the ElasticSearch databases online without passwords — a U.S.-based database for its international customers and a Hong Kong-based database containing mostly Chinese users’ data in an effort to comply with China’s data security laws, which requires Chinese citizens’ data to be located on servers inside the country.

Anyone who knew where to look could access, edit or delete the database using their web browser. And, because the database was listed on Shodan, a search engine for exposed devices and databases, they were easily found with a few keywords.

After TechCrunch reached out, Boomoji pulled the two databases offline. “These two accounts were made by us for testing purposes,” said an unnamed Boomoji spokesperson in an email.

But that isn’t true.

The database contained records on all of the company’s iOS and Android users — some 5.3 million users as of this week. Each record contained their username, gender, country and phone type.

Each record also included a user’s unique Boomoji ID, which was linked to other tables in the database. Those other tables included if and which school they go to — a feature Boomoji touts as a way for users to get in touch with their fellow students. That unique ID also included the precise geolocation of more than 375,000 users that had allowed the app to know their location at any given time.

Worse, the database contained every phone book entry of every user who had allowed the app access to their contacts.

One table had more than 125 million contacts, including their names (as written in a user’s phone book) and their phone numbers. Each record was linked to a Boomoji’s unique ID, making it relatively easy to know whose contact list belonged to whom.

Even if you didn’t use the app, anyone who has your phone number stored on their device and used the app more than likely uploaded your number to Boomoji’s database. To our knowledge, there’s no way to opt out or have your information deleted.

Given Boomoji’s response, we verified the contents of the database by downloading the app on a dedicated iPhone using a throwaway phone number, containing a few dummy, but easy-to-search contact list entries. To find friends, the app matches your contacts with those registered with the app in its database. When we were prompted to allow the app access to our contacts list, the entire dummy contact list was uploaded instantly — and viewable in the database.

So long as the app was installed and had access to the contacts, new phone numbers would be automatically uploaded.

Yet, none of the data was encrypted. All of the data was stored in plaintext.

Although Boomoji is based in China, it claims to follow California state law, where data protection and privacy rules are some of the strongest in the U.S. We asked Boomoji if it has or plans to inform California’s attorney general of the exposure as required by state law, but the company did not answer.

Given the vast amount of European users’ information in the database, the company may also face penalties under the EU’s General Data Protection Regulation, which can impose fines of up to four percent of the company’s global annual revenue for serious breaches.

But given its China-based presence, it’s not clear, however, what actionable repercussions the company could face.

This is the latest in a series of exposures involving ElasticSearch instances, a popular open source search and database software. In recent weeks, several high-profile data exposures have been reported as a result of companies’ failure to practice basic data security measures — including Urban Massage exposing its own customer database, Mindbody-owned FitMetrix forgetting to put a password on its servers and Voxox, a communications company, which leaked phone numbers and two-factor codes on millions of unsuspecting users.


Got a tip? You can send tips securely over Signal and WhatsApp to +1 646-755–8849. You can also send PGP email with the fingerprint: 4D0E 92F2 E36A EC51 DAAE 5D97 CB8C 15FA EB6C EEA5.

Tech Passionate and Heavy Geek! Into Blogging world since 2014 and never looked back since then :) I am also a YouTube Video Producer and a Aspiring Entrepreneur. Founder, MyDroidDoes

Continue Reading
Click to comment

Leave a Reply

Your email address will not be published. Required fields are marked *

Android

Disney+ comes to Canada and the Netherlands on Nov. 12, will support nearly all major platforms at launch

Judhajeet Das

Published

on

Disney+ will have an international launch that begins at the same time as its rollout in the U.S., Disney revealed. The company will be launching its digital streaming service on November 12 in Canada and The Netherlands on November 12, and will be available in Australia and New Zealand the following week. The streaming service will also support virtually every device and operating system from day one.

Disney+ will be available on iOS, Apple TV, Google Chromecast, Android, Android TV, PlayStation 4, Roku and Xbox One at launch, which is pretty much an exhaustive list of everywhere someone might want to watch it, leaving aside some smaller proprietary smart TV systems. That, combined with the day-and-date global markets, should be a clear indicator that Disney wants its service to be available to as many customers as possible, as quickly as possible.

Through Apple’s iPhone, iPad and Apple TV devices, customers will be able to subscribe via in-app purchase. Disney+ will also be fully integrated with Apple’s TV app, which is getting an update in iOS 13 in hopes of becoming even more useful as a central hub for all a user’s video content. The one notable exception on the list of supported devices and platforms is Amazon’s Fire TV, which could change closer to launch depending on negotiations.

In terms of pricing, the service will run $8.99 per month or $89.99 per year in Canada, and €6.99 per month (or €69.99 per year) in the Netherlands. In Australia, it’ll be $8.99 per month or $89.99 per year, and in New Zealand, it’ll be $9.99 and $99.99 per year. All prices are in local currency.

That compares pretty well with the $6.99 per month (or $69.99 yearly) asking price in the U.S., and undercuts the Netflix pricing in those markets, too. This is just the Disney+ service on its own, however, not the combined bundle that includes ESPN Plus and Hulu for $12.99 per month, which is probably more comparable to Netflix in terms of breadth of content offering.

 

Continue Reading

Android

Huawei pushes back launch of 5G foldable, the Mate X

Judhajeet Das

Published

on

If you were desperately ripping days off of your calendar until you could get your hands on Huawei’s $2,600 5G foldable, the Mate X — which was originally slated to launch next month — it sounds like you’re going to have to wait a bit longer, per TechRadar which attended a press event at Huawei’s Shenzhen headquarters today. 

It reports being told there is no possibility of a September launch. Instead Huawei is now aiming for November. But the company would only profess itself certain its first smartphone that folds out to a (square) tablet will launch before 2020. So it seems Mate X buyers may need to wait until circa Christmas to fondle this foldable.

It’s not clear exactly why the launch is being delayed. But — speculating wildly — we imagine it’s something to do with the fact that the screen, er, folds.

We’ve reached out to Huawei for official comment on the delay.

Huawei’s Mate X date slippage suggests Samsung will still be first to market with its (previously) delayed Galaxy Fold — which was itself delayed after a bunch of review units broke (because, well, did we tell you the screen folds?).

Last we heard, the Galaxy Fold is slated for a September release — Samsung seemingly confident it’s fixed the problem of how to make a foldable phone survive actual use.

Of course survival in the wild very much remains to be seen with any of these foldable. So expect TC’s in house hardware guru, Brian Heater, to put all of these expensively hinged touchscreens through their paces.

Returning to Huawei’s Mate X, potential buyers may not be entirely reassured to learn the company appeared to dangle rather more information about a planned sequel in front of reporters at the press event.

A sequel which may or may not have even more screens, as Huawei is apparently considering putting glass on the back. Yes, glass. (The gen-one Mate X will have a steel back.) Glass panels which it says could double as touchscreens. On the back. As well as the front. We have no idea if that means the price-tag will double too.

This theoretical quad (?) screen foldable follow-up to the still unreleased Mate X might even be released as soon as next year, according to TechRadar’s reportage. Or — again speculating wildly — it might never be released. Because, frankly, it sounds mental. But that’s the wacky world of foldables for ya.

There may be method in this madness too. Because, since smartphones turned into all-screen devices — making it almost impossible to tell one touch-sensitive slab from another — plucky Android device makers are trying to find a way to put more screen on the slab so you can see more.

If they can pull that off it might be great. However sticking a hinge right through the middle of a smartphone’s primary feature and function without that simultaneously causing problems is certainly a major engineering challenge.

Continue Reading

Android

Huawei’s new OS isn’t an Android replacement… yet

Judhajeet Das

Published

on

If making an Android alternative was easy, we’d have a lot more of them. Huawei’s HarmonyOS won’t be replacing the mobile operating system for the company anytime soon, and Huawei has made it pretty clear that it would much rather go back to working with Google than go it alone.

Of course, that might not be an option.

The truth is that Huawei and Google were actually getting pretty chummy. They’d worked together plenty, and according to recent rumors, were getting ready to release a smart speaker in a partnership akin to what Google’s been doing with Lenovo in recent years. That was, of course, before Huawei was added to a U.S. “entity list” that ground those plans to a halt.

Continue Reading
Advertisement

Trending Now!