Data-slurping keyboard app makes Mongo mistake with user data Another week, another open database left online, but this latest case has shown not only sloppy security but also how much data you’re giving up with some apps. On Tuesday security shop Kromtech released details on a MongoDB database it found unsecured online containing 577GB of data collected by predictive keyboard app AI. …
This post has been deleted by its author
'No sensitive data there' - Who are they trying to kid? - Nothing to see here, except the sheer delusion of App-makers and Cloud peddlers everywhere:
"MongoDB database ... found unsecured online containing 577GB of data collected by predictive keyboard app AI.type from its over 31 million users. This included the name, email address and location, along with IMSI and IMEI numbers, IP address, phone spec and OS details, and links to user's social media profiles and photos. It also slurped 373 million names and phone numbers from the contacts of over six million users."
My "Swype + Dragon" keyboard just absolutely pounds me with requests for me to a) give it internet access and b) create an account and log in, every time it updates or I go to settings, so I can get k-rad kewl stuff like different themes. Whee. Different themes. Yay.
I have done neither, and I keep using it because it actually is a really good predictive keyboard. The predictions are spot-on, otherwise I would have tossed it long ago.
And Hacker's Keyboard sucks balls... I used it when it was the keyboard with the best ConnectBot compatibility, but since ConnectBot has improved its keyboard handing, I've happily uninstalled it.
"any password or credit card information"... as though that is the only information of any value.
It is in this guys interest to continue the mis-truth that the rest of your data is worthless so you should hand it over for nothing.
As for leaving a database unsecured, that shows that they do not have a good tech team or at least an experienced one.
This guy sounds like a typical ceo of a tech company these days, arrogant and ignorant (just like the Twoo guy)... linkedin profile is full of terms like "organic growth" and not "data security" "company integrity".
Just wow.
"This included the name, email address and location, along with IMSI and IMEI numbers, IP address, phone spec and OS details, and links to user's social media profiles and photos. It also slurped 373 million names and phone numbers from the contacts of over six million users."
“There is no sensitive data there, we are not collecting\storing \sending any password or credit card information,”
if the data mentioned in the first quote isn't sensitive, I don't know what is.
Being an iOS user, I simply can't imagine why someone would switch out the keyboard that is provided by the developer of their OS, with a widget from the Play store, where you have zero assurance that it isn't up to something nefarious, like what happened here.
Perhaps one of those keyboard users can tell us, when installing this App, did it at any time warn that it would be transmitting every word your name, email, phone number and everything you ever typed in it to their servers?
And we wonder why we don't have security. No matter how secure people make their passwords, its all for nothing if it just winds up in your keyboard loggers, I mean, keyboard app makers, database.
Really? With jokes like Apple spelling "corrections" and the letter "I" bug and crap like that? That's one reason I stay away from Apple.
Not only am I able to avoid baked-in keyboard bugs, but I've been able to try out a dozen predictive keyboards and find one that's decent and gets spot-on predictions for my writing style.
And my keyboard desperately wants me to enable internet access BUT I do have the option not to, and I haven't.
"It raises the question once again if it is really worth it for consumers to submit their data in exchange for free or discounted products or services that gain full access to their devices.”
It's time to bloody OUTLAW data slurping unless people specifically consent to something CLEARLY WRITTEN and SHORT. With the slurper is completely liable for any damage caused by the leakage!
Never happen, of course.
either a typo or a linguistic error that resulted in the phrase:
"This presents a real danger for cyber criminals who could commit fraud or scams....."
The terrifying bit here is that this db is associated with a keyboard app on phones, if this exists, is there another db out there from their "diagnostics" component that has pools of text that had been entered on these phones in "order to improve our application" that is similarly unprotected? I mean, "There is no sensitive data there...." --- so *cough* where is the "sensitive" data you dense as a plank moronic execubot?
Most of the slurp is disclosed in the developers "privacy" policy (that nobody ever reads)
1.2. Data Collection. ai.type Application may collect statistical information (such as Ad-ID, IP address, Location based IP, contacts list, text messages, SSAID, IMEI, USER-ID , list of Apps installed, behavioral information) to ensure proper operation, verify information, tailor the keyboard to your specific preferences and ensure information security. ai.type will NOT publish NOR disclose any of user’s private and confidential information, such private ID numbers, driver’s and other license numbers, non-public contacts, or any other information that is not publicly accessible.
"may collect "
Funny how the legalese is full of "may", "might" etc and when the actuality is always "will" and "does" etc. They like imply that they don't really collect everything, no sirree, we're ho nest and only collect what we really need to improve the app. Really, truly, honestly!
Re: "It raises the question once again if it is really worth it for consumers to submit their data in exchange for free or discounted products or services"
I wish. I would love to pay for some apps to have ads or tracking removed. However, most of the time I do not have the option. Usually Apps only unlock additional features when you pay for them instead of using the free version, but do not disable tracking. Tracking users that are willing to pay is the most valuable data for them!
The Register 
Biting the hand that feeds IT
Copyright. All rights reserved © 1998–2024
