Porn Blocking App called BlockerX Suffered a data leak that may have potentially put vulnerable users at risk. On August 2nd, I discovered a non-password-protected database containing a large number of publicly exposed records. Among discovered data are user’s personal data, links to Amazon AWS with screenshots, quotes, and other unprotected, at the same time, potentially critical data.
The exposed database contained
- 121,624 total records and
- one folder named “users” with 72,000 records.
Details of the discovery:
- Records that expose user names, some email addresses, and encrypted user data.
- Amazon AWS bucket names and addresses where user attachments and screenshots are uploaded.
- I saw several posts about disturbing thoughts, self-harm, rape, and murder.
- The database was set to open and visible in any browser (publicly accessible), and anyone could edit, download, or even delete data without administrative credentials.
Some of the user names appeared to be formatted in first and last names, and others were simply email addresses. These may have been added as a “username” by mistake, but they could potentially expose the real identity of the users.
There were links to Amazon AWS files such as BlockerX resource documents to help users, but I also saw user uploads like screenshots. The screenshots appeared to be in chronological order by date and then numbered. Hypothetically this format would be easy to guess and go through each and every screenshot looking for sensitive data.
You can read the full summary of my findings and report here: Porn Blocking App Data Breach
Jeremiah Fowler
View More PostsJeremiah Fowler: Director of Security Research, Communications Specialist, Journalist and Cofounder at SecurityDiscovery.com. I care about data protection, privacy, cyber security issues, and responsible disclosure. Contact me: j(at)securitydiscovery.com Twitter: @Yoda69
