Researchers at cybersecurity vpnMentor found out that Christian faith app Pray.com has exposed users’ personal information, as developers failed to secure the cloud databases.
According to vpnMentor, cloud databases stored on Amazon Web Services (AWS) servers were left wide open, completely unsecured, and unencrypted. Researchers Noam Rotem and Ran Locar found out that California-based developers misconfigured the AWS servers, leading to the data exposure.
It was learned that the backdoor access containing 262GB of data includes 80,000 personal identification information of tens of millions of people, not just from Pray.com. Photos uploaded on the application are also exposed to profile photos and avatars.
There are also files on congregations, church attendees, home and email addresses, phone numbers, and marital status. Photos of minors are also included, just as church donations made using the app.
The only things missing are the records of donations being forwarded to churches. AWS misconfigurations are the culprit in most data leaks. The cybersecurity company only uncovered the issue as part of a larger web mapping project.
When the researchers analyzed the application, they found unsecured servers via the port scanning IP blocks and tests these for exploits. After the investigation, it was found out that anyone can easily access the buckets due to the lack of basic security practices.
“The long lists of donations processed by Pray.com would give cybercriminals invaluable insight into the finances of app users, and an opportunity to contact them appearing as the app, querying a previous donation,” said the researchers.
Because the researchers are white hat hackers, they reach out to Pray.com to rectify the issue and notify how big this is. However, the parent company hasn’t attempted to solve the problem.
According to vpnMentor, they’ve reached out more than once and failed to receive a response. “We contacted AWS directly to notify them. AWS confirmed they had informed Pray.com of the breach a few days later, but there remains no evidence that the company has attempted to resolve the issue,” said vpnMentor researchers.
Five weeks after the initial attempt to contact the company, the CEO responded with an ‘Unsubscribe’ word in his email. According to vpnMentor, this is clearly blatant negligence on the part of the company.
The vpnMentor said their findings conclude about 10 million people impacted by the Pray.com leak. The app allegedly stores people’s private data without their direct permission, and not realizing this is all happening.