[BreachExchange] The Danger of Apps that Die

Inga Goddijn inga at riskbasedsecurity.com
Thu Mar 17 16:03:50 EDT 2016 

https://mackeeper.com/blog/post/197-the-danger-of-apps-that-die

Post-mortem breaches can be just as harmful as live production leaks… at
least for these 198,000 people.

About three years ago there was an iPhone app named Kinotopic. According to
their website, which is still up, “Kinotopic allows you to create, share,
and store short video moments and make them more expressive – in the form
of animated pictures and cinemagraphs.”

Past users of Kinotopic may be interested to learn that there is currently
a MongoDB database that appears to belong to Kinotopic sitting out on the
open internet with no protection whatsoever. This derelict MongoDB instance
contains, among other things, the email addresses, usernames, and hashed
passwords for, what appear to be, over 198,000 previous Kinotopic users.

I have tried to get in touch with the Kinotopic developers in several ways.
All were unsuccessful. For example, the email address given on their
website for help and support is help at kinotopic.com. But good luck trying to
send anything to that email address. It will bounce almost immediately.

Also, I had fun trying to contact Apple about the issue. I figured that
Apple might have some way to contact the developers of a prior iPhone app.
After all, doesn’t it make Apple look bad if an app, that had gained
Apple’s official seal of approval, then later exposes its user database to
the entire world?

When I contacted Apple, they had this to say via email:

*“Chris, if you believe that this issue affects the security of an iOS
device or the iTunes Store, you may report it to product-security at apple.com
<product-security at apple.com>. […]*

*On the other hand, if this security issue only affects the application
itself, I’m afraid you will need to continue getting in touch with the app
developer for assistance.”*

When that response came back from Apple they already knew that I had hit a
dead-end trying to contact the Kinotopic developers. I was expecting a
little more assistance in tracking down the makers of this software that
was, until recently, officially supported and offered in the iPhone App
Store.

So, here’s where I’m at:  If anyone reading this post knows of a way to get
in contact with the Kinotopic developers (or their database
administrators), please drop me a line at cvickery at kromtech.com. Once I’m
confident that they are the proper people to speak with, I can provide the
exact IP address and port number of the exposed database. A semi-redacted
overview screenshot of the database should be visible above this post. If
that is your database, I want to talk with you.

And to anyone that may have used Kinotopic in the past— It’s probably time
to cycle in some new passwords to your mix.

From:
*MacKeeper Security Researcher: Chris Vickery. *
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20160317/a58f63b2/attachment.html>

More information about the BreachExchange mailing list