Pierluigi Paganini March 18, 2016

Chris Vickery has discovered online the database of the Kinoptic iOS app, which was abandoned by developers, with details of over 198,000 users.

The security researcher Chris Vickery has discovered a database belonging to an abandoned iOS app, the Kinoptic iOS app, that is exposing on the Internet personal details of over 198,000 users.

The Kinoptic iOS app allowed Apple users to create cinematic slideshows of their photos, animate smaller portions of one picture and, of course, to share it through social media platforms.

“Kinotopic allows you to create, share, and store short video moments and make them more expressive – in the form of animated pictures and cinemagraphs.” states the app description.

The Kinoptic iOS app was present on the official App store from 2012 to 2015, its website was closed early 2016.

Chris Vickery is popular for its researches on Intente-exposed MongoDB databases, he discovered archives exposing the personal details of hundred millions U.S. voters and recently a misconfigured MongoDB installation behind a Microsoft’s career portal that exposed visitors to attacks.

Vickery explained confirmed that the database behind the Kinoptic iOS app remained online, despite the application was removed from the official Apple store.the disconcerting aspect of the story is that the developers of the Kinoptic iOS app abandoned their service, leaving the data exposed on the Internet … a present for crooks that could use them to target the unaware users.

The data is available without authentication and includes usernames, email addresses, and hashed passwords, along with other details stored in profiles managed by the Kinoptic iOS app.

Vickery tried to report the issue to both Kinoptic developers and Apple. The Kinoptic team has never replied to the expert, meanwhile the Apple’s reply was:

“Chris, if you believe that this issue affects the security of an iOS device or the iTunes Store, you may report it to product-security@apple.com. […]

On the other hand, if this security issue only affects the application itself, I’m afraid you will need to continue getting in touch with the app developer for assistance.”

This means that the data will continue to stay online until the server or the database is shut down.

Of course, if you have used in the past the Kinoptic app you need to change the password as soon as possible.

Pierluigi Paganini

(Security Affairs – Kinoptic iOS app, hacking)