Data-slurping keyboard app makes Mongo mistake with user data

Data-slurping keyboard app makes Mongo mistake with user data

Data-slurping keyboard app makes Mongo mistake with user data

Personal data of 31,293,959 users of a popular virtual keyboard app, ai.type, has leaked online due to a misconfigured MongoDB database.

Had any of the malicious types that lurk on the web found the server they could have extracted all manner of user data, from full names, email addresses, and location, basically a treasure trove of information for people who get their kicks from identity theft and fraud. Fitusi is the co-founder of AI.type, a customisable on-screen keyboard which boasts of as many as 40 million users worldwide.

According to the Kromtech Security Center, the AI.type server had been using a Mongo-hosted database that is used by many well-known companies and organisations to store data, but a simple misconfiguration could allow the database to be easily exposed online.

The compromised database consisted of what is known to be 577 GB worth sensitive data. User data from a folder titled "old database' that contained 753,456 records too said to be available online".

More than six million records contained data collected from users' contact books including names, phone numbers and contacts saved or linked to Google account, researchers found. The records also included the user's location set by Global Positioning System, including their city and country.

ZDNet obtained a portion of the database to verify.

"When researchers installed Ai.Type they were shocked to discover that users must allow "Full Access" to all of their data stored on the testing iPhone, including all keyboard data past and present", explained Kromtech chief communications officer, Bob Diachenko.

Okami's Amaterasu Could Be Coming To DOTA 2 - With Your Help
If you're more of a League of Legends person, you can still enjoy Amaterasu's prettiness by playing Okami HD next week. Game crossovers are nothing new, but Capcom's way of getting Okami's Amaterasu into Dota 2 is a bit different.

The data was only secured after the firm made several attempts to contact Fitusi, who acknowledged the security lapse this weekend. It also contained seemingly useless information such as each user's IMSI and IMEI device number - which are unique numbers to identify a phone on the global network and one to identify it on a particular network - alongside make and model information, screen resolution and even the version of Android it's running. Some of the records, however, are far more significant and include phone numbers and IP addresses. Android and iOS both warn users of the risk of using such keyboards. Other tables also included a list of the other apps installed on a device, although it doesn't appear to have captured any data from within them.

For its part, AI.type says on its website that user's privacy "is our main concern".

"It raises the question of why would a keyboard and emoji application need to gather the entire data of the user's phone or tablet?"

"It is clear that data is valuable and everyone wants access to it for different reasons", Alex Kernishniuk, VP of strategic alliances at Kromtech, said.

There are more detailed records for those who purchased the full version of the app.

'Some want to sell the data they collect, others use it for targeted marketing, predictive artificial intelligence, and cyber criminals want to use it to make money in more and more creative ways.

Latest News