[BreachExchange] Pray.com exposed data of millions after database mess up

Destry Winant destry at riskbasedsecurity.com
Tue Nov 24 10:35:57 EST 2020


https://www.hackread.com/pray-com-exposed-after-database-mess-up/

Pray.com applied poor security potentially exposing nearly 10 million
users to frauds and cyberattacks, claim VpnMentor’s researchers.

VpnMentor research team led by Noam Rotem and Ran Locar discovered
four misconfigured Amazon Web Service (AWS) S3 buckets belonging to an
app Pray.com that have been leaking the company’s data dating as far
back as 2016.

Pray.com is one of the most popular Christian faith apps with more
than a million downloads on the Play Store.

Researchers claim that the misconfigured cloud infrastructure of the
Santa Monica-headquartered company led to the exposure of personal
data of roughly 10 million people. Reportedly, the app’s developers
didn’t properly secure the enormous reserves of data collected from
the app.

“Pray.com seemingly overlooked installing proper security measures on
its CloudFront account. As a result, any files on the S3 buckets could
be indirectly viewed and accessed through the CDN, regardless of their
individual security settings,” researchers wrote in the official blog
post.

Around 1.8 million files were stored on the misconfigured buckets,
mostly containing corporate content, including biblical audio and
daily prayer guidance.

However, around 80,000 files contained personal data such as profile
pictures of app users, home addresses, phone numbers, email addresses
of churchgoers, CSV files of the churches, and PIL of people who
donated to churches via Pray.com.

The highest security risk is caused by a feature on the app that
uploads a user’s entire phonebook after obtaining permission to invite
their friends to join. The phonebooks contained hundreds of contacts’
numbers, email, home and business address, and other personally
identifiable information. Many files also contained users’ private
account login details as well.

VpnMentor researchers noted that some of the users affected in the
leak had ‘.mil’ and ‘.gov’ email addresses. These individuals will be
at a higher risk of phishing, account hijacking, and identity fraud
attacks.

The app didn’t implement reliable security measures on its Cloudfront
CDN, which lets developers cache content on AWS hosted proxy servers
worldwide instead of loading files from the app’s server.

Since the CDN could access the exposed 80,000 files, any hacker could
easily compromise millions of people’s private data. Ironically, most
of them weren’t using Pray.com.

Pray.com was notified repeatedly in October by vpnMentor, and received
a one-word response from the company’s CEO Steve Gatena, which read:
“Unsubscribe.” Five weeks after vpnMentor first attempted to contact
the company, the exposed files were removed from the buckets. However,
the AWS S3 buckets remained exposed.


More information about the BreachExchange mailing list