Virtual keyboards like Ai.type are often taken for granted as they just appear on-screen while typing and do not require much attention. However, these keyboards can be very vulnerable to everything we type including our passwords, credit card details and personal information goes through them.
Unfortunately, personal data of approximately 31 million users of the popular keyboard, Ai.type, has been leaked thanks to the app’s unprotected database. A hacker sneaked into the insecure system and uploaded user’s personal info on the app’s database.
As the name suggests, Ai.type is a keyboard that learns a user’s typing style and later helps them by automatically inserting buzzwords and emojis during conversations. The app runs on iOS and Android smartphones and has over 40 million users worldwide (a figure confirmed by the massive leak).
According to Zack Whittaker of ZDNet, the app’s database server was left online while not being protected by a password, leaving its user’s personal data easily accessible to anyone.
The data includes basic information about the user like their names, email addresses along with their device information like its model, screen resolution, IMS and IMEI numbers. The above-mentioned information is just basic, not much personal, however, the worrying fact is that the data also included some really sensitive data including user’s location, phone number, contact list and IP address and ISP if they use the app while connected to Wi-Fi, Whittaker said.
For unclear reasons, the uploaded data also included a list of all the apps installed on the user’s phone. Hundreds and millions of names and email addresses were also uploaded which belonged to all the people user’s interacted with.
I’m horrified by this data leak. Email addresses, phone numbers, and precise locations of 31 million users is bad enough, but the data also includes every user’s contacts list — some 374.6 million phone numbers alone. https://t.co/rvNuPbP6Vr pic.twitter.com/AinjASnOyG
— Zack Whittaker (@zackwhittaker) 5 December 2017
ZDNet claims that the app’s database also possessed “concatenated email addresses and corresponding passwords.” Ai.type says that they never “learn from password fields.”
The defenseless database was spotted by researchers at the Kromtech Security Center. The leak “… is pretty bad, indeed. Nobody expects his or her phone book or other device or location related details to be exposed to the public internet,” said Bob Diachenko, Kromtech’s head.
Diachenko also said that the leak was an outcome of a misconfigured MongoDB server “left unprotected for anybody to access/read/write.”
“The danger of having [an] unprotected MongoDB [database] is huge. In January 2017, 27,000 — or roughly a quarter — of MongoDB databases left open to the internet were hit by ransomware, and again in September 2017 three groups of hackers wiped out an estimated 26,000 MongoDB databases. The cybercriminals demanded that the owners of those databases pay around $650 in Bitcoin to regain their data.”
Finally, the database has been secured by the developer, although, according to Diachenko, “a couple of days after we notified the owner”.
On the plus side, the leak only affected Android users out of which the ones using the free version of the app were affected severely.
Ai.type’s case serves as a warning to all other companies who store their customer’s data and who do no authenticate their systems well.
“This is once again a wakeup call for any company that gathers and stores data on their customers to protect, secure, and audit their privacy practices,” said Diachenko.
There are considerably fewer chances of such leaks to happen in the future as the latest MongoDB 3.6 (yet to release) will come with a safe configuration, inhibiting an internet-database connection without authentication.