<div dir="ltr"><a href="https://mackeeper.com/blog/post/197-the-danger-of-apps-that-die">https://mackeeper.com/blog/post/197-the-danger-of-apps-that-die</a><br clear="all"><div><div class="gmail_signature"><div dir="ltr"><div><div dir="ltr"><div><div dir="ltr"><div><div dir="ltr"><span style="color:rgb(0,0,255)"></span><br><p class="">Post-mortem breaches can be just as harmful as live production leaks… at least for these 198,000 people.</p>
<span class="">
<p>About three years ago there was an iPhone app named
Kinotopic. According to their website, which is still up, “Kinotopic
allows you to create, share, and store short video moments and make them
more expressive – in the form of animated pictures and cinemagraphs.”</p><p>Past
users of Kinotopic may be interested to learn that there is currently a
MongoDB database that appears to belong to Kinotopic sitting out on the
open internet with no protection whatsoever. This derelict MongoDB
instance contains, among other things, the email addresses, usernames,
and hashed passwords for, what appear to be, over 198,000 previous
Kinotopic users.</p><p>I have tried to get in touch with the Kinotopic
developers in several ways. All were unsuccessful. For example, the
email address given on their website for help and support is <a href="mailto:help@kinotopic.com">help@kinotopic.com</a>. But good luck trying to send anything to that email address. It will bounce almost immediately.</p><p>Also,
I had fun trying to contact Apple about the issue. I figured that Apple
might have some way to contact the developers of a prior iPhone app.
After all, doesn’t it make Apple look bad if an app, that had gained
Apple’s official seal of approval, then later exposes its user database
to the entire world?</p><p>When I contacted Apple, they had this to say via email:</p><p><em>“Chris,
if you believe that this issue affects the security of an iOS device or
the iTunes Store, you may report it to <a href="mailto:product-security@apple.com">product-security@apple.com</a>. […]</em></p><p><em>On
the other hand, if this security issue only affects the application
itself, I’m afraid you will need to continue getting in touch with the
app developer for assistance.”</em></p><p>When that response came back
from Apple they already knew that I had hit a dead-end trying to contact
the Kinotopic developers. I was expecting a little more assistance in
tracking down the makers of this software that was, until recently,
officially supported and offered in the iPhone App Store.</p><p>So,
here’s where I’m at: If anyone reading this post knows of a way to get
in contact with the Kinotopic developers (or their database
administrators), please drop me a line at <a href="mailto:cvickery@kromtech.com">cvickery@kromtech.com</a>.
Once I’m confident that they are the proper people to speak with, I can
provide the exact IP address and port number of the exposed database. A
semi-redacted overview screenshot of the database should be visible
above this post. If that is your database, I want to talk with you.</p><p>And to anyone that may have used Kinotopic in the past— It’s probably time to cycle in some new passwords to your mix.</p><p>From: <em>MacKeeper Security Researcher: Chris
Vickery. <br></em></p></span><br></div></div></div></div></div></div></div></div></div>
</div>