Data-slurping keyboard app makes Mongo mistake with user data

Adjust Comment Print

Uncovered by security researchers at Kromtech Security Centre, the keyboard app that offers an alternative to the native keyboards on Android and iOS devices was found to be extracting personal data from some 31 million users and flinging it over to an unsecured database server owned by the app's co-founder Eitan Fitusi. The database contained the full name and email address of each user, as well as information about how many days the app had been installed on their device.

After the researchers apparently repeatedly tried to contact Fitusi, the app maker eventually added password protection to the database that held more than 577GB of user data, after it had been previously been left open to anyone who wandered by on the digital highways of the internet.

This included the name, email address and location, along with IMSI and IMEI numbers, IP address, phone spec and OS details, and links to user's social media profiles and photos. "This is a shocking amount of information on their users who assume they are getting a simple keyboard application".

Interestingly, AI.type says on its website that user privacy "is our main concern", and that any text entered on the keyboard "stays encrypted and private".

It's not uncommon for keyboard apps to ask for wide-ranging permissions to access data on a user's device-and in many cases, users are willing to grant it because the keyboard is an essential tool.

"Theoretically, it is logical that anyone who has downloaded and installed the Ai.Type virtual keyboard on their phone has had all of their phone data exposed publicly online", said Bob Diachenko, head of communications at the Kromtech Security Center.

Alli plays as Spurs seek quick reboot
But he has struggled to make an impact in any of his five Premier League appearances since then and admitted: "We're all disappointed with recent results".

Most alarmingly of all, some of the more complete records contained user's phone numbers and the name of their mobile network operator.

"Based on the leaked database they appear to collect everything from contacts to keystrokes". In some cases, there's even specific details from the user's Google profile, including birth dates, genders, and profile pictures.

The data leak, according to the researchers, only affects the app on Android and not iOS, so iPhone users can keep feeling smug. ZDNet said it also uncovered the contact details from user's address books.

Kromtech'sVP of strategic alliances Alex Kernishniuk said: "It is clear that data is valuable and everyone wants access to it for different reasons".

'It raises the question once again if it is really worth it for consumers to submit their data in exchange for free or discounted products or services that gain full access to their devices'. "Some want to sell the data they collect, others use it for targeted marketing, predictive artificial intelligence, and cyber criminals want to use it to make money in more and more creative ways".

While the database discovered to be leaking information collected by AI.type has been secured, the app itself is still collecting the same data.

Comments