Webcam application Adorcam exposed user data after it left an Elasticsearch database online without a password to protect it. Following the security incident, thousands of app users have been compromised, given that the program has more than 10,000 downloads on the Google Play Store.
Adorcam is an app designed to view and control peer-to-peer (P2P) IP cameras of various models, including the likes of Umino and Zeeporte.
According to Tech Radar, the incident was discovered by security researcher Justin Paine. Based on Paine’s blog post, the researcher initially alerted the webcam company last January 14, 2021, and again on the next day, January 15, 2021, where the company acknowledged the report given by Paine.
The Elasticsearch database exposed on the web was secured five days after Paine informed the company, dated January 19, 2021.
Some of the compromised information leaked on the Internet include the email addresses of users, their respective WiFi network names, hashed passwords, as well as “potentially” some images captured by the web cameras in question, said Paine in his blog post.
Tech Crunch reports that the cameras were found to have uploaded some of the stills captured by the device into the cloud. However, the news site states that Paine failed to verify such information, given that the links pointing towards such evidence have already expired.
In total, the security researcher found that there were approximately 124 million rows of data for its thousands of users. Details of the camera itself were also leaked, including the web camera serial number and the settings.
Apart from the aforementioned information, some of the user details that were included in the database included data obtained from and by the webcam itself. Tech Crunch states these include location or geographical information, as well as the microphone activity during that time, such as whether or not it was turned on.
To prove the vulnerability of the Elasticsearch database, Paine created an account of his own.
In his blog post, Paine said, “To rule this out I conducted a test to definitely prove that this database was being used for production traffic related to the iOS and Android apps. I signed up. I was able to find my test account within the database, and therefore confirmed this was the live database – and now a development database as I initially suspected.”
Paine continued to detail the probable risks of the incident, some of which he said could lead to social engineering attacks such as phishing.
Tech Crunch reveals that Adorcam has yet to make a statement on whether or not the company intends to disclose the incident to the public or if it plans to inform affected users about the leak.