Lifeprint app on iOS and Android spilled 2 million private photos

Cybernews reports Lifeprint, a maker of portable photo printers, spilled millions of private photos onto the open internet. The company has not addressed the issue. Cybernews researchers have revealed a data leak affecting Lifeprint portable printer users. The brand makes instant photo printers for iPhone and Android, letting users print photos, and GIFs directly from their phones. It belongs to C+A Global, a New Jersey-registered company founded in 2003.The app tied to the leak is used by all Lifeprint printer users to print photos and share snapshots or clips directly to someone else’s printer. The app has over 100,000 downloads on Google Play.

The leak was caused by a misconfigured bucket that lacked authentication. Any internet user could have accessed over 8 million files, including 2 million unique photos, exported user data in JSON and CSV formats, and lists of usernames, email addresses, and printing stats for more than 100,000 users.

According to the stored metadata, these users printed 1.6 million photos together.

The research team also found the public cloud bucket contained multiple versions of the printer’s firmware. Buried inside the files was a private encryption key, left in plain text, which appeared to be used to sign the firmware.