Report: Photo App Exposes 100,000s of Users in Massive Data Leak
Led by Noam Rotem and Ran Locar, vpnMentor’s research team recently discovered a data breach belonging to photography app PhotoSquared.
The exposed database potentially compromised the privacy and security of 100,000s of PhotoSquared users by revealing a massive amount of sensitive photos and personal information.
PhotoSquared could have easily avoided this leak, but instead, it represents a lack of basic security protocols by the company.
PhotoSquared is a USA-based app available on iOS and Android.
Users upload photos to the app which are turned into lightweight printed ‘photo tiles’ for decoration. These are then mailed to users for a small fee.
It's a small but popular app, with over 100,000 customer entries on this database alone.
Timeline of Discovery and Owner Reaction
Sometimes, the extent of a data breach and the owner of the data are obvious, and the issue quickly resolved. But rare are these times. Most often, we need days of investigation before we understand what’s at stake or who’s leaking the data.
Understanding a breach and its potential impact takes careful attention and time. We work hard to publish accurate and trustworthy reports, ensuring everybody who reads them understands their seriousness.
Some affected parties deny the facts, disregarding our research, or playing down its impact. So we need to be thorough and make sure everything we find is correct and accurate.
In this case, the database was hosted on AWS, using an S3 bucket with the company’s name in the database URL. There were also company invoices stored alongside user photos, all of which were completely unsecured.
The team quickly identified PhotoSquared as the owner and reached out.
- Date discovered: 30th January 2020
- Date vendors contacted: 04th February 2020
- Date of action: 14th February 2020
Example of Entries in the Database
PhotoSquared does not reference user data security and storage protocols in its terms of service or describe any steps it takes in this regard.
The database in question was hosted in the state of Maryland. It contained over a million records, totaling 94.7GB of data dating from November 2016 to January 2020.
The files uploaded to the database included:
- User photos for editing and printing
- PDF order records and receipts
- USPS shipping labels for delivery of photo tiles
Aside from personal photos, the private personal user data we viewed included:
- Full names of users
- Home/delivery addresses
- Order values in USD
These related to PhotoSquared’s nationwide customer base and, thus, affected people from all across the USA.
Example #1: Postage label with a users address
Example #2: An order record including a user’s address, photos, and transaction value
Example #3: 3 of the 1,000s of personal family photos uploaded to PhotoSquare’s database (blurred by us)
Impact For PhotoSquared
PhotosSquared is not a unique business. It has many competitors, both in phone apps and physical photography companies that offer similar services.
By leaking user data like this, it risks losing customers to competitors. Data privacy is a huge concern for many people, and they may be reluctant to trust an app that doesn’t take more robust data security measures.
PhotoSquared could further lose market share from competitors using the negative press against it, while also gaining insights into the company’s operations and finances to gain an edge.
There is also a further risk of legal action and fines due to the data breach. For instance, PhotoSquared falls under the jurisdiction of California’s CCPA law and will have to comply with its new laws regarding corporate data leaks.
Impact For PhotoSquared Customers
By not securing its database, PhotoSquared has put its customers in real danger, online and offline.
By combining a customer’s home address with insights into their personal lives and wealth gleaned from the photos uploaded, anyone could use this information to plan robberies of PhotoSquared users’ homes.
Meanwhile, PhotoSquared customers could also be targeted for online theft and fraud. Hackers and thieves could use their photos and home addresses to identify them on social media and find their email addresses, or any more Personally Identifiable Information (PII) to use fraudulently.
With this kind of information, they could target victims in numerous illegal schemes:
- Stealing their identity
- Committing financial or credit card fraud
- Attacking them with malicious software like spyware and ransomware
Cybercriminals could also use the order details contained within the database to set up effective phishing campaigns posing as either USPS or PhotoSquared.
Example #4: More family photos
Advice from the Experts
PhotoSquared could have easily avoided this leak if they had taken some basic security measures to protect the database. These include, but are not limited to:
- Securing their servers
- Implementing proper access rules
- Never leaving a system that doesn’t require authentication open to the internet
Any company can replicate the same steps, no matter its size.
For a more in-depth guide on how to protect your business, check out our guide to securing your website and online database from hackers.
Securing an Open S3 Bucket
It’s important to note that open, publicly viewable S3 buckets are not a flaw of AWS. They’re usually the result of an error by the owner of the bucket. Amazon provides detailed instructions to AWS users to help them secure S3 buckets and keep them private.
In the case of PhotoSquared, the quickest way to fix this error would be to:
- Make the bucket private and add authentication protocols.
- Follow AWS access and authentication best practices.
- Add more layers of protection to their S3 bucket to further restrict who can access it from every point of entry.
For PhotoSquared Users
If you’re a customer of PhotoSquared and concerned about how this breach might impact you, contact the companies directly to find out what steps they’re taking.
To learn about data vulnerabilities in general, read our complete guide to online privacy.
It shows you the many ways cybercriminals target internet users, and the steps you can take to stay safe.
How and Why We Discovered the Breach
As part of a major web mapping initiative, the breach in PhotoSquared's database was uncovered by the vpnMentor research group. Our investigative team employs port scanning to inspect specific IP blocks, assessing unsecured gaps in systems for possible vulnerabilities. Each exposed gap is subsequently examined for signs of data leakage.
When they find a data breach, they use expert techniques to verify the database’s identity. We then alert the company of the breach. If possible, we will also inform any other party affected by the breach.
Our team was able to access this bucket because it was completely unsecured and unencrypted.
The purpose of this web mapping project is to help make the internet safer for all users.
As ethical hackers, we’re obliged to inform a company when we discover flaws in their online security. We reached out to PhotoSquared, not only to let them know about the vulnerability but also to suggest ways in which they could make their system secure.
These ethics mean we also carry a responsibility to the public. PhotoSquared users must be aware of a data breach that impacts them too.
We also never sell, store, or expose any information we encounter during our security research.
About Us and Previous Reports
vpnMentor is the world’s largest VPN review website. Our research lab is a pro bono service that strives to help the online community defend itself against cyber threats while educating organizations on protecting their users’ data.
Our ethical security research team has discovered and disclosed some of the most impactful data leaks in recent years.
This has included an enormous data leak exposing the data of 10,000s of American restaurant diners. We also revealed that a company owned by European hotel giant AccorHotels compromised the privacy and security of hotel guests around the world. You may also want to read our VPN Leak Report and Data Privacy Stats Report.
[Publication date: 14.02.2020]