Therefore I reverse engineered two apps that are dating.

Therefore I reverse engineered two apps that are dating.

Video and picture drip through misconfigured S3 buckets

Typically for images or other asserts, some sort of Access Control List (ACL) could be in position. A common way of implementing ACL would be for assets such as profile pictures

One of the keys would act as a “password” to gain access to the file, together with password would simply be offered users who require usage of the image. When it comes to an app that is dating it’s going to be whoever the profile is presented to.

I’ve identified several misconfigured S3 buckets on The League through the research. All photos and videos are unintentionally made general general public, with metadata such as which user uploaded them so when. Ordinarily the application would have the pictures through Cloudfront, a CDN on top regarding the buckets that are s3. Unfortunately the underlying S3 buckets are severely misconfigured.

Side note: in so far as i can inform, the profile UUID is arbitrarily produced server-side as soon as the profile is made. Making sure that right part is not likely to be very easy to imagine. The filename is controlled because of the customer; any filename is accepted by the server. In your client app it’s hardcoded to upload.jpg .

The seller has since disabled general public ListObjects. But, we nevertheless think there must be some randomness within the key. A timestamp cannot act as key.

internet protocol address doxing through website website website link previews

Link preview is one thing this is certainly difficult to get appropriate in a complete large amount of messaging apps. You will find typically three techniques for website website website link previews:

Read more…