Aug 202018
 

Catalin Cimpanu reports:

Twitch is warning users of a bug in one of its recently retired features that may have exposed some of their messages to other users.

“On May 5, 2018, Twitch removed a legacy feature called Messages and provided  users the ability to download an archive of past messages,” the game streaming company informed users via emails last week.

“Due to a bug in the code that generated the message archive files, which we have since fixed, a small percentage of messages were included in the wrong archives,” Twitch added. “As a result, some users who downloaded their message bundle may have one or more of your messages in their archive.”

Read more on BleepingComputer.

Aug 162018
 

Erin Pearson reports:

A Melbourne private schoolboy who repeatedly broke into Apple’s secure computer systems is facing criminal charges after the technology giant called in the FBI.

The teen, who cannot be named for legal reasons, broke into Apple’s mainframe from his suburban home on multiple occasions over a year because he was such a fan of the company, according to his lawyer.

Read more on The Age.

Aug 142018
 

Meagan Simpson reports that a Toronto man is suing Facebook Inc., Facebook Canada, and Cambridge Analytica. The basis for his suit is that he has experienced hundreds of unwarranted calls and emails since the breach, he claims, and those calls and emails are due to the breach of his information. The whole experience, he alleges, has increased his anxiety significantly:

Mattucci claims to have received and continues to receive anywhere from 10 to 20 unsolicited calls and emails every day. He said that these ‘irritants’ started right around the time of the data breach and feels there is a pretty clear connection.

These calls and emails, said his lawyer Darryl Singer, have exacerbated already existing anxiety issues. “[His anxiety] is a result of knowing his information is out there, receiving dozens and dozens of these unwanted calls and emails and not knowing who has his info or how it’s going to be used.”

Singer told IT World Canada that this has caused his client significant pain and grief as well as a loss of quality of life. Mattucci is receiving psychological treatment and has had to increase his medications since the whole experience began.

Read more on The London Free Press.

I know different countries have different standards for lawsuits over breaches, but if this suit was filed in the U.S., I’d be thinking about snowballs in excessively hot environments.  But does this type of claim have any kind of reasonable chance of prevailing in Canada?

Aug 142018
 

By Lee Johnstone and Dissent Doe

Sungy Mobile Limited (“GOMO”)  claims to be the world’s leading mobile application developer and mobile advertising platform, with more than 2 billion downloads.  Their GO Series apps include GOMO Reading, GO Launcher, GO SMS, GO Keyboard Pro, Z Camera, S Photo Editor, GO Music, GO Speed, Brightest Flashlight, and Z Launcher.

GOMO’s apps are very popular with children, and when GOMO leaked more than 50 million consumers’ information due to a misconfigured backup, a lot of those 50 million consumers were children.

But do their parents know? It’s not clear.

Leak Discovered in May

On May 25, an independent researcher who calls himself “Flash Gordon” discovered what appeared to be GOMO backup data exposed on Port 80 with no login required.

Although the data appeared to be from GOMO, we could find no way to alert them to their security issue via email or social media. There was no email address on their site, and a Google search returned no usable email address for their security or privacy personnel. Attempts to reach GOMO via their Twitter account were also unsuccessful.

On May 27, Flash discovered that there was also a second IP address that was exposing all of the backup data without any login required.

Both Flash Gordon and DataBreaches.net attempted to notify GOMO via their web host and even via the Privacy Commissioner for Personal Data, Hong Kong. The latter raised jurisdictional and statutory issues in trying to explain why they wouldn’t just reach out and notify the company when the data were being hosted in Hong Kong.

On May 30, five days after discovery, it appeared that the files might have been secured after Flash contacted NTT Com Asia Ltd on Facebook and informed them that one of their HKNet customers was leaking data and couldn’t be reached via email. On June 2, however, a re-check determined that both servers were leaking again.  NTT Com Asia was contacted again, and again, they assisted in the notification process.  This time, the servers remained unavailable on re-check.

Findings: Corporate Data

Deep analysis of the GOMO data revealed that not only were GOMO’s application users affected (see below), but a lot of its development, internal, and system details and workings were also exposed. Data from every application as well as deployment, product, administration, statistics, payment gateways and much more was left unprotected in plaintext.

The databases also contained a lot of data that did not appear to be directly linked to their own applications, but might be related to other products of theirs involving providing digital marketing and game distribution services for merchants, brands, and other companies – material that might be especially attractive to threat actors who search for or stumble over it.

Checking the Google App Store for applications under GOMO returns various versions of applications, with names like “GOMO apps,” and “GOMO dev, GOMO” but the official playstore appears to be named “GOMO Limited.”

Findings: User Data

Data provided by Flash Gordon to Johnstone appeared to contain the complete backend system for many of GOMO’s products/applications. The backup was well over 28GB in compressed format and normal files. When decompressed, there was close to 100GB of data, in total.

Some of the data exposed by the leak indicated that the most frequent user languages represented in the files were English, Spanish, Indian, and French. There were 273 languages and 301 countries represented in the data.

All told, there were:

50,553,664 unique accounts
47,415,210 unique devices
4,379 distinct mobile numbers in account
51,426,769 distinct email addresses in accounts,
48,255,172 profiles, and
4 system users.

A redacted record, below, reveals that exposed data included email addresses, bcrypt passwords, and country of user: 

(420865,NULL,'[redacted]@gmail.com’,NULL,’1446416667477d5fb1ba798a67985′,’d5fb1ba798a67985′,’$2a$10$6EQadztZcwGKBRhewGj4SOlJRvsI39C4bm0vySv1UKldUvF.AIxM.’,’fr’,’FR’,0,0,’XRlgLbzb5OoA7ixiWvX2MMSX6′,2,1,’2015-11-02 06:25:10′,’2015-11-01 22:25:10′)

Some entries contained data on U.S. persons that included their email address, username, school, gender, date of birth, and their International Mobile Subscriber Identity (imsi) number, as these examples demonstrate:

6370_appendonly.aof:{“[redacted]”:”c15168219″,”email  [redacted]@gmail.com”, “emailStatus”:true,”username”:”[redacted]”,”address”:”Euclid, Ohio”,”college”:”Euclid High School”,”sex”:”1″,”birthday”:”[redacted]”,  “language”: “US”,”version”: “1359928652823”, “imsi”: “[redacted]”}

6370_appendonly.aof:{“[redacted]”:”c8203604″,”email”:”[redacted]@gmail.com”, “encryptedPhone”:”KzE4MDg3MjEzOTMx”,”phoneStatusEnum”:{“value”:0,”name”:”suc”}, “emailStatus”:true,”username”:”[redacted]”, “college”: “Iolani School”,”sex”:”1″,”birthday”:” [redacted]”,”language”: “US”, “version”: “1358036318623”,”imsi”:”[redacted]”}

The databases also exposed links to avatars, comments, notes and other application-based information such as users’ coins or game credits, in-store purchuses, and more.

One file contained 49,243,538 accounts with email addresses, mobile phone numbers, passwords, language preference, country, and other account related information.   A second table in the account database contained just as many rows of account device information with users’ ID numbers being matchable to the International Mobile Equipment Identity (imei) number, imsi number, phone model information, language, country, and type of connection.

In total, there were more than 70 databases exposed, involving applications listed on GOMO’s website  including Z Camera, Z Launcher, GO SMS, GO Music, GO Launcher, Bright Flashlight, and  S Photo Editor. Other affected applications include GO Horoscope, GO Fitness, GO Currency, GO Video, as well as internal purchases, games, promotions, messages and contacts. And as noted earlier, also exposed was the complete GOMO deployment and development system with all end points, credentials and project information.

GOMO also provides services for clients like private VPN’s, and the exposed database contained 477,521 account IDs of customers who subscribe to this service.

Yet other files appeared to be activity logs that were updated as users used apps. The roster logs revealed that the backup was current and was continually being updated.

Who Knows? Who Should Know?

Since the data were secured, we have occasionally checked GOMO’s site to see if there was any disclosure or statement about the unsecured backup exposing data.  We can find none. And there is still no email contact form or address to get in touch with the company to alert them to problems or to ask questions.

So have parents of children whose data were exposed been notified that their children’s name, date of birth, email address, and device and account information was exposed and available for access or download by threat actors?  Has GOMO analyzed their logs to determine how many IP addresses outside of their network may have accessed or exfiltrated their data?

And does Chinese law require disclosure or notification – either to consumers, parents, or the government itself for this type of leak? We are not sure.

Update of August 17:  Yesterday, DataBreaches.net received an email from the security head for GOMO.  GOMO writes, in relevant part (typos as in the original):

This issue happened when we were fixing a issue on AWS and had to open Port80 however failed to close the port due to a tech bug. We reazlied the issue on 30th May and fixed this problem right after.

Their investigation noted two downloads at the end of May, which they believe to be “a kind reminder rather than a malicious attack.”

In response to the incident, GOMO took a number of actions:

1) we have added additional manpower as backup process to double check when it comes to database related actions.

2) Enhanced Encrption process has been applied to all the User related data including but not limited to email/UI etc.

GOMO thanked us for the reporting, “which provides a kind Alarm for us to improve. User data secrutity  has always been the central of our work and it will always stay the highest priority for the company.”

We are glad to have been of help, and hope that they will add something to their web site’s home page that lets people know how to contact them directly by email to report any privacy or data security concerns.  In our opinion, every entity should provide contact email for reporting concerns.

Aug 102018
 

Alexander J. Martin reports:

Butlin’s has confirmed that the records of up to 34,000 guests have been accessed by hackers.

The holiday camp chain says the stolen data does not include payment details – but customers’ names, holiday dates, postal and email addresses and telephone numbers are believed to have been accessed.

A spokesperson confirmed to Sky News that the compromise had taken place over the past 72 hours, and was caused by a phishing email which posed as the local Chamber of Commerce.

Read more on Sky News.