True promotes itself as the social networking app that “will protect your privacy”. But a security breach left one of its servers exposed – and spilled private user data on the internet for anyone to find.
The app was launched in 2017 by Hello Mobile, a little-known mobile phone operator that plugs into T-Mobile’s network. True’s website says it raised $ 14 million in seed funding and claimed more than half a million users shortly after launch.
But a dashboard for one of the app’s databases was exposed to the internet without a password, allowing anyone to read, browse and search the database, including users’ personal data.
Mossab Hussein, director of security at Dubai-based cybersecurity firm SpiderSilk, found the dashboard on display and provided details to TechCrunch. Data provided by BinaryEdge, a search engine for exposed databases and devices, showed that the dashboard had been on display since at least early September.
After we reached out, True took the dashboard offline.
Bret Cox, Managing Director of True, confirmed the security breach but did not answer our specific questions, including whether the company was planning to notify users of the security breach or whether it planned to disclose the incident to people. regulators under state data breach notification laws.
The dashboard contained daily server logs dating back to February and included the user’s registered email address or phone number, the content of private messages and messages between users, and the last known geolocation of the user. user, who could identify where a user was or had been. The dashboard also exposed the email and phone contacts uploaded by the user, which True uses to match known friends in the app.
None of the data has been encrypted.
TechCrunch has confirmed that the dashboard is returning actual user data by creating a test account and asking Hussein to provide data that only we know, such as the phone number used to register the account.
Hussein said the dashboard also disclosed account access tokens, which could be used to hack and hijack any user’s account. These account access tokens look like a row of random letters and numbers, but allow the user to stay logged in to the app without having to enter their login information each time. Using our test account, Hussein found our access token in the dashboard and used it to access our account and post to our feed.
The dashboard also exposed one-time login codes, which True sends to the email address or phone number associated with the account instead of storing passwords.
True says deleting an account “will immediately remove all of your content from our servers,” but deleting our test account did not delete our private messages, posts, and photos, and was still searchable from. from the dashboard.
âThis is another example of how mistakes can happen in any organization, even those that are focused on privacy,â Hussein told TechCrunch. âThis underscores the importance of not only creating secure websites and applications, but also ensuring that appropriate data security measures are built into their internal procedures. “
A spokesperson for Hello Mobile could not be reached.
Hussein also found an exposed database dashboard owned by Blind, the “anonymous social network” favored by employees to publicly disclose wrongdoing and wrongdoing in their businesses.
You can contact the author with safe advice using Signal and WhatsApp at: +1 646-755-8849.