Pierluigi Paganini October 05, 2020

Cybernews has found an exposed data bucket that belongs to the Australian news sharing platform Snewpit containing around 80,000 user records.

Original post at https://cybernews.com/security/australian-social-news-platform-leaks-80000-user-records/

To increase efforts to secure user data, Snewpit will be reviewing “all server logs and access control settings” to confirm that no unauthorized access took place and to ensure that “user data is secure and encrypted.”

The CyberNews investigations team discovered an exposed data bucket that belongs to Snewpit, an Australian news sharing platform. The unsecured bucket contains close to 80,000 user records, including usernames, full names, email addresses, and profile pictures.

The files that contain the records were stored on a publicly accessible Amazon Web Services (AWS) server, which means that anyone with a direct URL to the files could access and download the data that was left out in the open.

On September 24, the sensitive files in the Snewpit bucket were secured by the company and are no longer accessible.

To see if your email address has been exposed in this or other security breaches, use ourpersonal data leak checker.

What data is in the bucket?

The exposed Snewpit Amazon AWS bucket contained 26,203 files, including:

• 256 video files filmed and uploaded by Snewpit users and developers
• 23,586 image files of photos documenting local events that were apparently uploaded by the users
• 4 CSV files, one of which contained 79,725 user records, including full names, email addresses, usernames, user descriptions, last login times, and total time spent in the Snewpit app, among other metrics

Aside from the user records, the bucket also contained thousands of user profile pictures.

Examples of exposed records

Here are some examples of the user records, videos, and images left on the exposed Snewpit bucket.

The CSV file contains user records for what we assume to be users who downloaded and installed the Snewpit app, which currently has 50,000+ installs on Apple’s App Store and Google’s Play store.

The video files stored in the bucket seem to show raw footage from news posts, including criminal incidents.

There were also user profile pictures among the files stored in the bucket.

Who owns the bucket?

The publicly available Amazon bucket appears to belong to Snewpit, a software company based in Australia. Snewpit is a map-based peer-to-peer app that allows users to create, find, and share real-time news updates, as well as receive notifications for news posted within 5 kilometers of their location. 

According to the developers, the app is aimed at helping users “form a worldwide community of citizen journalists, reporting and discovering local news and events happening around them.”

The app is mostly used by Australians, with small userbases currently located in the US and the UK.

Who had access to the data?

According to Snewpit founder Charlie Khoury, the bucket has been exposed for 5 weeks since the development team made server changes to the system reporting. While Snewpit have not noticed any suspicious activity, the company is reviewing all server logs to confirm that this is the case.

”We will be reviewing all access control settings and ensuring our user data is secure and encrypted. We take our data and security seriously and will endeavour to make sure this does not happen again.” -Charlie Khoury

With that said, the files were stored on a publicly accessible Amazon S3 server, and bad actors can find unprotected Amazon buckets relatively easily. Since these buckets lack any sort of protection from unauthorized access, there is a possibility that the data may have been accessed by bad actors for malicious purposes during the 5-week period.

What’s the impact of the leak?

Fortunately, the files stored in the exposed Snewpit bucket don’t contain any deeply sensitive information like personal document scans, passwords, or social security numbers. However, even this data can be enough for bad actors to abuse for a variety of malicious purposes:

• Contact details like full names and email addresses can be used by phishers and scammers to commit targeted attacks against the exposed Snewpit users by sending them malicious spam emails
• Particularly determined cybercriminals can combine the data found in this bucket with previous breaches in other verticals in order to build more accurate profiles of potential targets for identity theft

What happened to the data?

We discovered the Snewpit bucket on September 24 and immediately reached out to the company in order to help secure the bucket. The Snewpit team responded within minutes and secured the files containing user records on the same day.

What to do if you’ve been affected by the leak?

If you have a Snewpit account, there is a high chance that your records may have been exposed in this breach. To secure your data and avoid any potential harm from bad actors, we recommend doing the following:

1. Use our personal data leak checker to see if your email address has been leaked.
2. Immediately change your email password and consider using a password manager.
3. Enable two-factor authentication (2FA) on your email and other online accounts.
4. Look out for incoming spam emails and phishing messages. Don’t click on anything that looks even remotely suspicious, including emails from senders you do not recognize. 

Original post at https://cybernews.com/security/australian-social-news-platform-leaks-80000-user-records/

Pierluigi Paganini

(SecurityAffairs – hacking, Snewpit)

[adrotate banner=”5″]

[adrotate banner=”13″]