Shulou(Shulou.com)06/01 Report--

Summary: for the second time this month, sensitive information was leaked from an unprotected MongoDB database due to a number of security vulnerabilities, and the popular home tracking app Family Locator has exposed real-time unencrypted location data of more than 238000 users.

The application is very similar to Apple's find my Friends application, allowing users to track family members and set up geographic fencing features, such as notifying users when family members leave work or arrive at school.

According to TechCrunch, this data is not exposed for the first time this month because the unprotected MongoDB database allows anyone who knows the exact details of the server to access the information.

An insecure MongoDB database exposes 200GB's Veeam customer data

The exposed database was discovered by Sanyam Jain, a security researcher and member of the GDI Foundation, a non-profit organization responsible for detecting and analyzing criminal opportunities and publicly sharing them.

Data that cannot be found in the database is not encrypted: names, email addresses, profile photos, and plaintext passwords are easily accessible, and the location of the geographic location is visible with the specified name. It will be effortless to know not only where users are, but also where they live, where they work, and where their children are educated.

Boris Cipot, a senior security engineer at Synopsys, said: "Unfortunately, this is another case of data disclosure caused by non-technical processing."

"this serious misconduct should not happen, but as we often see, they do, and this usually happens if security procedures are not properly implemented or ignored," he said. "Security should not be taken lightly, especially when dealing with data entrusted to you by someone."

Family Locator React Apps developers did not respond to the media's approach. TechCrunch tried to contact the company for more than a week, but there was no contact information on its website, and the Australian Securities and Investments Commission's records returned only the name of the company's owner.

The database was later taken offline because it was hosted on the Azure cloud, but it is not known how long the database has been exposed.

"it's scary that apps that keep families safe and allow parents to monitor their children's whereabouts actually make it impossible for anyone to protect and access data," said EMEA, senior technical director of Arxan Technologies.

"We emphasize the importance of application security every day, but unfortunately, unless everything the application connects to is secure, it will still pose a danger to consumers. when developing an application, the build process and the security-critical process should be combined-security and data protection should not be an afterthought, or worse, completely ignored."

Earlier this month, MongoDB had a problem with another data breach; researcher Bob Diachenko found an unprotected database of 809 million email records, many of which contained personally identifiable information.

When DynaRisk, a security company, confirmed that the number of leaked records was actually three times higher than initially thought, things got worse, with the actual number exceeding 2 billion.

Most records contain the last name, email address, gender information, zip code and IP address of each entry. The records were cross-checked with the popular HaveIBeenPwned website, which showed that no data leaks had been found before, meaning the discovery was new and that the affected person had not previously been the target of data leaks.

Source: https://www.modb.pro/db/6319

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.