The Danger of Apps that Die
Post-mortem breaches can be just as harmful as live production leaks… at least for these 198,000 people.
About three years ago there was an iPhone app named Kinotopic. According to their website, which is still up, “Kinotopic allows you to create, share, and store short video moments and make them more expressive – in the form of animated pictures and cinemagraphs.”
Past users of Kinotopic may be interested to learn that there is currently a MongoDB database that appears to belong to Kinotopic sitting out on the open internet with no protection whatsoever. This derelict MongoDB instance contains, among other things, the email addresses, usernames, and hashed passwords for, what appear to be, over 198,000 previous Kinotopic users.
I have tried to get in touch with the Kinotopic developers in several ways. All were unsuccessful. For example, the email address given on their website for help and support is firstname.lastname@example.org. But good luck trying to send anything to that email address. It will bounce almost immediately.
Also, I had fun trying to contact Apple about the issue. I figured that Apple might have some way to contact the developers of a prior iPhone app. After all, doesnt it make Apple look bad if an app, that had gained Apples official seal of approval, then later exposes its user database to the entire world?
When I contacted Apple, they had this to say via email:
“Chris, if you believe that this issue affects the security of an iOS device or the iTunes Store, you may report it to email@example.com. […]
On the other hand, if this security issue only affects the application itself, Im afraid you will need to continue getting in touch with the app developer for assistance.”
When that response came back from Apple they already knew that I had hit a dead-end trying to contact the Kinotopic developers. I was expecting a little more assistance in tracking down the makers of this software that was, until recently, officially supported and offered in the iPhone App Store.
So, heres where Im at: If anyone reading this post knows of a way to get in contact with the Kinotopic developers (or their database administrators), please drop me a line at firstname.lastname@example.org. Once Im confident that they are the proper people to speak with, I can provide the exact IP address and port number of the exposed database. A semi-redacted overview screenshot of the database should be visible above this post. If that is your database, I want to talk with you.
And to anyone that may have used Kinotopic in the past— Its probably time to cycle in some new passwords to your mix.
Attention - Portions of this article may be used for publication if properly referenced and credit is given to Kromtech Security Center.
Do you have security tips or suggestions? Contact: email@example.com