birddem ananth benard

0 views
Skip to first unread message

Adam Makin

unread,
Aug 4, 2024, 2:43:22 AM8/4/24
to derhyveda

PhotoSquared App Leaked Personal Data And Sensitive Photos Online

A popular photo app that turns digital images into printed photo boards has exposed the personal data and photos of hundreds of thousands of its customers, according to a report by vpnMentor. The app, PhotoSquared, left an unsecured Amazon Web Services (AWS) storage bucket containing over one million records dating from November 2016 to January 2020. The records included user photos, order receipts, shipping labels and full names and home addresses of customers.

The data breach was discovered by a research team led by Noam Rotem and Ran Locar from vpnMentor, who notified PhotoSquared on February 4th. The company fixed the leak on February 14th, 10 days after being contacted by the researchers. PhotoSquared has not publicly acknowledged the incident or informed its customers of the potential risks.

The exposed data could have serious consequences for the privacy and security of PhotoSquared users. Hackers or malicious actors could use the data to launch phishing and identity theft attacks, or even target users' homes for robbery. The data could also be used to blackmail or extort users, especially those who uploaded sensitive or intimate photos to the app.

PhotoSquared is a small but popular app, with over 100,000 installs on Google Play. It allows users to upload photos to the app and order lightweight printed photo tiles for decoration. The app charges a small fee for each photo tile and delivers them to users' homes via USPS.

The app does not reference user data security and storage protocols in its terms of service or describe any steps it takes to protect its customers' data. The database in question was hosted in Maryland and contained 94.7GB of data.

This is not the first time that a photo app has leaked user data due to an unsecured AWS storage bucket. In 2019, another photo app called Ever exposed millions of photos and facial recognition data online. In 2018, a photo storage app called FamilyAlbum exposed over 8 million photos online.

Users of photo apps should be careful about what they upload and share online, and check the privacy policies and security practices of the apps they use. They should also monitor their online accounts and credit reports for any signs of suspicious activity or identity theft.

How to secure AWS storage buckets

One of the main reasons why data leaks occur from AWS storage buckets is because of misconfigured access controls and permissions. AWS provides several tools and best practices to help users secure their data and prevent unauthorized access. Here are some of the methods that users can apply to protect their AWS storage buckets:

    • Use Amazon S3 block public access. This feature allows users to block public access to their buckets and objects at the account or bucket level. Users can also prevent any future changes to the public access settings by using service control policies (SCPs) from AWS Organizations.
    • Use bucket policies and identity-based policies. These policies allow users to specify who can access their buckets and objects and what actions they can perform. Users should follow the principle of least privilege and grant only the necessary permissions to specific principals, such as IAM users, roles, federated users, service principals, IP addresses, or VPCs.
    • Use encryption. AWS offers several options for encrypting data in transit and at rest in S3. Users can choose to use server-side encryption (SSE) or client-side encryption (CSE) depending on their needs and preferences. SSE encrypts data before it is stored in S3 and decrypts it when it is retrieved. CSE encrypts data on the client side before uploading it to S3 and decrypts it after downloading it. Users can also use AWS Key Management Service (KMS) or their own encryption keys to manage the encryption keys.
    • Use monitoring and auditing tools. AWS provides various tools and services to help users monitor and audit their S3 activities and configurations. Users can use AWS CloudTrail to track API calls and data events related to their buckets and objects. Users can also use Amazon GuardDuty to detect malicious or unauthorized behavior in their S3 resources. Users can also use AWS Security Hub to check their compliance with security best practices and standards.

    By following these methods, users can improve their security posture and reduce the risk of data leaks from their AWS storage buckets.

    51082c0ec5
    Reply all
    Reply to author
    Forward
    0 new messages