Posted on September 15, 2020 at 10:19 AM
According to a recent report, a vulnerable database without password protection has exposed the personal details of thousands of users who have previously registered on online dating sites.
Security researchers from vpnMentor discovered the vulnerable database last month, which is an Elasticsearch server.
When vpnMentor found out the owner of the vulnerable database in Malifire, it was subsequently taken offline on September 3.
A request for comment concerning the incident has been sent to Mailfire, but the company has not responded yet. Some of the dating sites contained in the exposed database include Jolly.me, Cum2Date, Loveeto, Victoria Brides, Rondevo, ValenTime, AneAmour, JollyRomance, Asia Charm, Ukrainian Charm, Asian Melodies, Emily Dates, Julia Dates, Kismia, and lots more.
Leaked database contains copies of push notifications
VpnMentor researchers revealed that the database contained copies of push notifications where different websites are sending to their users.
A push notification is a real-time message a company sends to browser or smartphone users who have opted to receive such messages.
According to the report, the vulnerable database contained over 800 GB of log files relating to push notifications delivered to users using Mailfire’s service. Each time the log updates in real-time, the service usually sends out a new notification.
VpnMentor also revealed that the log files had other contents. According to the report, they include 66 million notifications the service has sent within the past three days.
While looking for the owner of the database, vpnMentor analyzed the exposed data and discovered that the notifications are coming from more than 70 websites.
The reports revealed that some of these websites were classified ads and e-commerce stores, but most of the notifications contained in the database are from dating sites.
The dating sites are promising men they are going to hook them up with younger partners from different parts of the world, such as Eastern Asia or Eastern Europe.
Many of the websites designed their sites in a virtually-looking pattern, as they seem to be from a bigger network since they used different domains.
There is no doubt that the dating sites are spamming users through these push notifications, trying to lure them to revisit the sites by claiming a new female user has replied or sent them a message online. They do this to grab the attention of the user to go back to the dating sites, which brings more visitor visits and help their websites grow.
But using push notifications to spam users is not the main problem, especially with the consent of the user to receive such messages. The issue here is the fact that the users’ data were exposed.
From the exposed logged copies, the Elastisearch server included the “debug” area as well as copies of the push notifications. The debug section is where the user’s personal information is added to the log.
Some of the data in the debug files include IP address, age of the user, their names, geographical locations, email addresses, and information about their gender.
Additionally, there are link backs to the user’s profile in the notification, in case they tapped or clicked on the push notification. Apart from these link backs, they also included the authentication keys, which means anyone with the URL does not need a password to access the user’s profile on the site.
User profiles can be used for extortion
Those who have access to the database for the past few weeks would have known the identities of those users and accessed their profiles to see their past connections or read their private messages.
According to the information the vpnMentor researchers provided, the exposed database has put many users in danger. They could be most likely targeted for extortion like the Ashley Madison users who were blackmailed for many years.
Some of the users had severe experiences during the Ashley Madison extortion, as some of them committed suicide after their long relationships crumbled due to the exposure.