DB of the Kinoptic iOS app abandoned online with 198,000 records

Chris Vickery has discovered online the database of the Kinoptic iOS app, which was abandoned by developers, with details of over 198,000 users.

The security researcher Chris Vickery has discovered a database belonging to an abandoned iOS app, the Kinoptic iOS app, that is exposing on the Internet personal details of over 198,000 users.

The Kinoptic iOS app allowed Apple users to create cinematic slideshows of their photos, animate smaller portions of one picture and, of course, to share it through social media platforms.

“Kinotopic allows you to create, share, and store short video moments and make them more expressive – in the form of animated pictures and cinemagraphs.” states the app description.

The Kinoptic iOS app was present on the official App store from 2012 to 2015, its website was closed early 2016.

Chris Vickery is popular for its researches on Intente-exposed MongoDB databases, he discovered archives exposing the personal details of hundred millions U.S. voters and recently a misconfigured MongoDB installation behind a Microsoft’s career portal that exposed visitors to attacks.

Vickery explained confirmed that the database behind the Kinoptic iOS app remained online, despite the application was removed from the official Apple store.the disconcerting aspect of the story is that the developers of the Kinoptic iOS app abandoned their service, leaving the data exposed on the Internet … a present for crooks that could use them to target the unaware users.

The data is available without authentication and includes usernames, email addresses, and hashed passwords, along with other details stored in profiles managed by the Kinoptic iOS app.

Vickery tried to report the issue to both Kinoptic developers and Apple. The Kinoptic team has never replied to the expert, meanwhile the Apple’s reply was:

“Chris, if you believe that this issue affects the security of an iOS device or the iTunes Store, you may report it to product-security@apple.com. […]

On the other hand, if this security issue only affects the application itself, I’m afraid you will need to continue getting in touch with the app developer for assistance.”

This means that the data will continue to stay online until the server or the database is shut down.

Of course, if you have used in the past the Kinoptic app you need to change the password as soon as possible.

Pierluigi Paganini

(Security Affairs – Kinoptic iOS app, hacking)

Pierluigi Paganini

Pierluigi Paganini is member of the ENISA (European Union Agency for Network and Information Security) Threat Landscape Stakeholder Group and Cyber G7 Group, he is also a Security Evangelist, Security Analyst and Freelance Writer. Editor-in-Chief at "Cyber Defense Magazine", Pierluigi is a cyber security expert with over 20 years experience in the field, he is Certified Ethical Hacker at EC Council in London. The passion for writing and a strong belief that security is founded on sharing and awareness led Pierluigi to find the security blog "Security Affairs" recently named a Top National Security Resource for US. Pierluigi is a member of the "The Hacker News" team and he is a writer for some major publications in the field such as Cyber War Zone, ICTTF, Infosec Island, Infosec Institute, The Hacker News Magazine and for many other Security magazines. Author of the Books "The Deep Dark Web" and “Digital Virtual Currency and Bitcoin”.