The known cybersecurity research duo Noam Rotem and Ran Locar, from vpnMentor, discovered a data breach in the U.S.-based photo printing app, PhotoSquared. The exposed database potentially compromised personalized data of more than 100,000 PhotoSquared customers including their photos, print labels and order details such as delivery address, invoice amount and more.
PhotoSquared app is available on the iOS and Android platforms where users can upload photos in the app which can then be printed onto lightweight photo tiles. These decorative tiles are further mailed back to the users as per the delivery details mentioned at the time of checkout. It’s a very basic yet popular app having a customer database of over 100,000.
The research duo found that the database in question was hosted on Amazon Web Services (AWS), using an S3 bucket. The company’s name was mentioned in the database URL. Customer data found in the unprotected database totaled to 94.7GB and dates from November 2016 to January 2020. The researchers said that, “It’s important to note that open, publicly viewable S3 buckets are not a flaw of AWS. They’re usually the result of an error by the owner of the bucket. Amazon provides detailed instructions to AWS users to help them secure S3 buckets and keep them private, but owners at times fail to implement basic security protocols.”
Risk Mitigation Steps
AWS provides a detailed list of instructions to its users for guiding them to secure S3 buckets and to keep them private, including:
- Turn the bucket settings to private and add authentication protocols.
- Implement best practices of AWS access and authentication.
- Add additional layers of protection to their S3 bucket to further restrict who can access it from every point.
The same research duo Noam Rotem and Ran Locar, had earlier found an unprotected AWS S3 database containing personal and private information of British citizens that included passport scans, tax documents, job applications, background checks, expense forms, scanned contracts complete with signatures, salary information, emails and more.
Researchers came across this data while working on a web-mapping project that scans for data leaks. Rotem said, “We’re scanning large parts of the internet and trying to find data that is lying around within open databases that don’t require any hacking.”