The developer of a smartphone app has carelessly left a database accessible to anybody with an internet connection, leaving exposed a database of millions of records containing baby videos and photos, as well as the email addresses of users.
Information dating back to March 2019 was uncovered in the 70 million log files left exposed in an unsecured Elasticsearch database administered by Bithouse Inc, the developers of the Peekaboo Moments app.
The free app, which promises “flexible and secure privacy settings” while offering to help parents share unlimited high definition videos and photos of their newborn child with family members, was described by security researcher Dan Ehrlich as “grossly insecure.”
Ehrlich discovered that it was possible to access thousands of baby videos and photographs, as well as the at least 800,000 email addresses contained on the database which was running on a cloud-based server.
As well as photographs, videos, and email addresses, the database also contained baby’s date of birth, their length and weight, as well as their longitude and latitude location data.
What a way for a child to enter the world, and experience their very first ever data breach.
There are also concerns that the breached data contained what appear to be Peekaboo Moments’ API keys for Facebook, used by parents to post to Facebook from the app. According to Ehrlich, the keys could be used by an attacker to gain access to content on an app users’ Facebook page.
All of this rather makes a mockery of Peekaboo Moments’ claims that it treats security and privacy as a priority:
“We completely understand how these moments [are] important to you. Data privacy and security come as our priority. Every baby’s photos, audios & videos or diaries will be stored in secured space. Only families and friends can have access to baby’s moments at your control.”
As Ehrlich told Data Breach Today, things even got worse when he attempted to contact the Chinese developers of Peekaboo Moments about the security breach and received no response.
About seven hours after the media picked up on the story, Bithouse Inc informed the media that it had secured the server containing the database and would check its infrastructure for other security issues.
Parents of newly-born children have enough sleepless nights to contend with without also having to worry that the apps they might be using to share precious photos and videos have a sloppy attitude to security.