Private photos leaked by PhotoSquared’s unsecured cloud storage

Recognize anybody you know?

No, likely not. No thanks to the leaky photo app they dribbled out of for that, though. After coming across thousands of photos seeping out of an unsecured S3 storage bucket belonging to a photo app called PhotoSquared, security researchers at vpnMentor blurred a few.
They also blurred a sample from a host of other personally identifiable information (PII) they came across during their ongoing web mapping project, which has led to the discovery of a steady stream of databases that have lacked even the most basic of security measures.
In this case, as they wrote up in a report published this week, the researchers came across photos uploaded to the app for editing and printing; PDF orders and receipts; US Postal Service shipping labels for delivery of printed photos; and users’ full names, home/delivery addresses and the order value in USD.
PhotoSquared, a US-based app available on iOS and Android, is small but popular: it has over 100,000 customer entries just in the database that the researchers stumbled upon.

Customer impact and legal ramifications

vpnMentor suggested that PhotoSquared might find itself in legal hot water over this breach. vpnMentor’s Noam Rotem and Ran Locar note that PhotoSquared’s failure to lock down its cloud storage has put customers at risk of identity theft, financial or credit card fraud, malware attacks, or phishing campaigns launched with the USPS or PhotoSquared postage data arming phishers with the PII they need to sound all that much more convincing.
A breach of this kind of data could also lead to burglary, they said:

By combining a customer’s home address with insights into their personal lives and wealth gleaned from the photos uploaded, anyone could use this information to plan robberies of PhotoSquared users’ homes.
Meanwhile, PhotoSquared customers could also be targeted for online theft and fraud. Hackers and thieves could use their photos and home addresses to identify them on social media and find their email addresses, or any more Personally Identifiable Information (PII) to use fraudulently.

The legal hot water that may await could be found in California, vpnMentor suggests, given its newly enacted California Consumer Privacy Act (CCPA), with the law’s new, strict rules about corporate data leaks.

Securing an open S3 bucket

PhotoSquared, for its part, could have secured its servers, say Rotem and Locar, implemented proper access rules, and not left a system that doesn’t require authentication lying around open to the internet.
As it was, the database was set up with no password and no encryption.
From vpnMentor’s report:

Our team was able to access this bucket because it was completely unsecured and unencrypted.

The leaky PhotoSquared app is just the most recent story (one in a long chain) about misconfigured cloud storage buckets. Last week, it was JailCore, a cloud-based app meant to manage correctional facilities that turned out to be spilling PII about inmates and jail staff.
The Who’s Who list of organizations that have misconfigured their Amazon S3 buckets and thereby inadvertently regurgitated their private data across the world just keeps getting longer. Besides JailCore last week and PhotoSquared this week, that list contains Dow Jones; a bipartisan duo including the Democratic National Committee (DNC) and the Republican National Committee (RNC); and Time Warner Cable – to name just a few.

Plug those buckets!

Your organization doesn’t have to wind up on that Who’s Who list. There’s help out there for organizations that can take a deep breath, step away from their servers, and plunge in to learn how to better secure them: Amazon has an FAQ that advises customers how to secure S3 buckets and keep them private.
In the case of PhotoSquared, vpnMentor suggested that the quickest way to patch its pockmarked bucket is to:

• Make it private and add authentication protocols.
• Follow AWS access and authentication best practices.
• Add more layers of protection to the S3 bucket to further restrict who can access it from every point of entry.