Cybernews reports Photo Vault app leaked user data

The iOS app Photo Vault, designed to protect private content, has leaked user data in real time due to a misconfigured, passwordless Firebase database, according to Cybernews. Designed as a digital lockbox for personal photos, sensitive notes, passwords, and more, PhotoVault nevertheless allowed for a security lapse, revealed last February, that left the app’s Firebase database completely exposed.

The leak exposed older and file names to user email addresses, plaintext passwords, and even supposedly “secure” notes.

This leak is extremely dangerous, as hackers can set up scrapers to constantly suck up sensitive data from the Firebase instance, getting real-time access to fresh passwords and other private info as soon as it’s uploaded. To make matters worse, attackers could exploit passwords users upload to the vault to hijack their accounts.

The company behind Photo Vault, a developer called Brain Craft, operates out of Bangladesh and boasts a portfolio of more than 20 apps, claiming a total of 20 million downloads and 15 million users. Among them, Photo Vault alone was downloaded 72,000 times, according to the CyberNews reports, adding the company has yet to provide an official comment on the leak.

“Some of these folder names were descriptive enough to identify criminal activity such as hacking into other people’s accounts to access sensitive data stored within,” said Cybernews researcher Aras Nazarovas. “Since multiple users used this service to also store passwords and notes, it is possible that an attacker could use this information to gain unauthorized access to the private vaults by performing credential stuffing attacks.”