Pray.com applied poor security potentially exposing nearly 10 million users to frauds and cyberattacks, claim VpnMentor’s researchers.
VpnMentor research team led by Noam Rotem and Ran Locar discovered four misconfigured Amazon Web Service (AWS) S3 buckets belonging to an app Pray.com that have been leaking the company’s data dating as far back as 2016.
Pray.com is one of the most popular Christian faith apps with more than a million downloads on the Play Store.
Researchers claim that the misconfigured cloud infrastructure of the Santa Monica-headquartered company led to the exposure of personal data of roughly 10 million people. Reportedly, the app’s developers didn’t properly secure the enormous reserves of data collected from the app.
“Pray.com seemingly overlooked installing proper security measures on its CloudFront account. As a result, any files on the S3 buckets could be indirectly viewed and accessed through the CDN, regardless of their individual security settings,” researchers wrote in the official blog post.
Around 1.8 million files were stored on the misconfigured buckets, mostly containing corporate content, including biblical audio and daily prayer guidance.
However, around 80,000 files contained personal data such as profile pictures of app users, home addresses, phone numbers, email addresses of churchgoers, CSV files of the churches, and PIL of people who donated to churches via Pray.com.
The highest security risk is caused by a feature on the app that uploads a user’s entire phonebook after obtaining permission to invite their friends to join. The phonebooks contained hundreds of contacts’ numbers, email, home and business address, and other personally identifiable information. Many files also contained users’ private account login details as well.
VpnMentor researchers noted that some of the users affected in the leak had ‘.mil’ and ‘.gov’ email addresses. These individuals will be at a higher risk of phishing, account hijacking, and identity fraud attacks.
The app didn’t implement reliable security measures on its Cloudfront CDN, which lets developers cache content on AWS hosted proxy servers worldwide instead of loading files from the app’s server.
Since the CDN could access the exposed 80,000 files, any hacker could easily compromise millions of people’s private data. Ironically, most of them weren’t using Pray.com.
Pray.com was notified repeatedly in October by vpnMentor, and received a one-word response from the company’s CEO Steve Gatena, which read: “Unsubscribe.” Five weeks after vpnMentor first attempted to contact the company, the exposed files were removed from the buckets. However, the AWS S3 buckets remained exposed.