Popsugar’s Twinning app was found exposing users’ uploaded photos

• The photos or selfies uploaded to the Popsugar’s twinning app were easily accessible by anyone who knows where it is stored.
• The web address of the storage bucket where the uploaded photos are stored is found in the code of the Twinning app’s website.

Popsugar’s Twinning app is a photo-matching tool which compares users’ uploaded photos with celebrities photos and gives a twinning percentage for top five look-alikes. The results can also be shared on Facebook and Twitter. It is to be noted that hundreds of users’ uploaded photos were found to be leaked in Google’s search results even before the users shared it on Facebook or Twitter.

The users who uploaded their photos or selfies to the Twinning app were found to be easily accessible. The uploaded photos are stored in a storage bucket and the web address of the storage bucket is found in the code of the Twinning app’s website thereby exposing users’ uploaded photos.

What happened?

All the photos and selfies uploaded on the Popsugar’s Twinning app were stored on a storage bucket hosted by Amazon Web Services. The web address of the storage bucket could be found in the code of the Twinning app’s website.

To verify this,

• Researchers at TechCrunch uploaded a dummy image of certain file size to the Twinning app at a specific time period.
• The researchers then scraped a list of filenames uploaded during the specific time period from the storage bucket’s web address.
• They then downloaded the files, searched for their uploaded image with the certain file size and found the image.

Researchers noted the storage bucket to be locked down in some time. However, Mike Patnode, Vice President of engineering at Popsugar confirmed in an email to Techcrunch that ‘the bucket permissions weren't set up correctly.”

Threat actors often take advantage of viral mobile app trends to create malicious apps which steal user data or inject malware into their devices. In May 2018, a set of photo editor apps were found to be hiding malware. Such cases are unfortunately quite frequent.

In order to stay secure, it is always recommended to be cautious when using free apps such as quiz, games, photo editor tool etc. as to what information you provide and what access permissions you grant to such apps.