Therefore I reverse engineered two dating apps.

Therefore I reverse engineered two dating apps.

Video and picture drip through misconfigured S3 buckets

Typically for photos or other asserts, some form of Access Control List (ACL) will be in position. For assets such as for example profile photos, a standard means of applying ACL will be:

The main element would act as a “password” to get into the file, and also the password would simply be provided users whom require use of the image. When it comes to an app that is dating it is whoever the profile is presented to.

We have identified several misconfigured buckets that are s3 The League throughout the research. All images and videos are unintentionally made general general public, with metadata such as which user uploaded them so when. Generally the application would obtain the pictures through Cloudfront, a CDN on top associated with the buckets that are s3. Unfortunately the underlying S3 buckets are severely misconfigured.

Side note: in so far as i can inform, the profile UUID is arbitrarily produced server-side if the profile is done. In order that right part is not likely to be very easy to imagine. The filename is managed by the customer; the host takes any filename. Continue reading “Therefore I reverse engineered two dating apps.”