Well here is another instance of an application causing people to worry about their own data. Pray.com is an application that gives you access to videos, podcasts, and many recordings of previous services. This application while it offers these services for users for a nominal fee, $50-$120, also provides services for churches to receive donations minus a nominal fee. The application has been downloaded over a million times and is mainly a cloud based web service for many of its users.
Pray.com offers its services via an AWS web instance. This instance is owned and maintained from their developers. The breach that identified came back to a misconfigured S3 bucket. The information in this bucket while contained many of the files from internal operations of Pray.com also had PII data from other applications. This applications gave anyone with access to these files the details of previous donations, and users. Researchers said that many of these phonebooks contained hundreds of individual contacts, each one revealing that person’s PII data, including names, phone numbers, email, home and business addresses, and other details, like company names and family ties. Some of the entries included login information for private accounts.
Anyone with IT security knowledge knows the phishing attacks that can occur from this data. An attacker could start a scam of hoaxes to previous users using the data they collected from these files.
“The people whose data Pray.com had stored in these phonebook files were not app users, They were simply people whose contact details had been saved on a Pray.com user’s device. In total, we believe Pray.com stored up to 10 million peoples’ private data without their direct permission – and without its users realizing they were allowing it to happen.”
vpnMentor.com 2020
Why was pray.com allowed access to information from contacts address books? Was this really needed for the developers to store? This is a classic instance of an application being allowed too many permissions. Users must ask themselves when an application is asking for permissions. Does this application really need my contacts, or access to the phone? If no, DENY! This is the only way we can protect ourselves from consumers. There is not a process that ensures that a developer is following safe guidelines so we as consumers must protect ourselves.
Watch Closely as you share your data, your name maybe in the list of the next breach…
Can you hack it?
JT