A discovery by vpnMentor’s team revealed a security breach in a domestic violence prevention application called Aspire News App. The mobile application was created and published by the non-profit organization When Georgia Smiled.
Headed by cybersecurity analysts and Noam Rotem and Ran Locar, the report showed that around 230MB of data was leaked with over 4,000 recordings sent in by victims of domestic abuse.
Aside from recordings of emergency messages, the leak also involves personally identifiable information (PII) including names, home addresses, and details of their situation. Names and personal details of abusers were also leaked. Around 4,000 individuals are potentially affected by this breach.
As per a sample presented in the report, the information was sensitive. One transcript says, “[Full name] is threatening me or hurting me. Please send help now. [Full address].” Some audio files were pre-recorded, which is a feature allowed by the app.
vpnMentor’s team noted that this issue can potentially put victims in physical danger, especially if the victims are publicly revealed. Moreover, it also puts them at risk of being blackmailed if they do not want to be exposed.
The breach occurred in the Amazon Web Storage S3 bucket where the data was stored. According to the analysts, discovered the issue on June 24, the bucket has been publicly accessible before the discovery.
Upon finding out about the vulnerability, the team contacted When Georgia Smiled and the Dr. Phil Foundation, as well as AWS. vpnMentor also got in touch with Tech Crunch’s Zack Whittaker for another perspective and verification of the breach.
On the day of the discovery and contact, AWS got back to the research team saying that the owners have been informed. The security issue was also addressed and closed on that day, showing quick action from the vendor and service provider.
The team warned that organizations and developers of Aspire News App “could face considerable scrutiny and criticism for committing such a fundamental error and not protecting its users.”
TV personalities Dr. Phil McGraw and his wife Robin could receive negative press, while their non-profit organization When Georgia Smiled “could also face investigations and auditing from US government agencies” given the extremely sensitive info that leaked.
Experts at vpnMentor suggested that measures should be taken to protect users including the use of proper access rules, authenticated requests for download, and data encryption in the bucket.