A popular Christian faith app has unwittingly exposed the personal data of up to 10 million users dating back several years, after misconfiguring its cloud infrastructure, researchers have warned.
Santa Monica-headquartered Pray.com claims to be the “#1 App for daily prayer and biblical audio content” and has been downloaded over a million times from the Play Store.
Researchers at vpnMentor discovered four misconfigured AWS S3 buckets belonging to the company.
Although it had made private around 80,000 files, it failed to replicate these security measures on its Cloudfront CDN, which also had access to the files. This means a hacker could have compromised personal information on as many as 10 million people, most of whom were not even Pray.com users.
“Cloudfront allows app developers to cache content on proxy servers hosted by AWS around the world – and closer to an app’s users – rather than load those files from the app’s servers. Doing so speeds up the app’s performance considerably,” vpnMentor explained.
“Pray.com seemingly overlooked installing proper security measures on its CloudFront account. As a result, any files on the S3 buckets could be indirectly viewed and accessed through the CDN, regardless of their individual security settings.”
After notifying the company repeatedly through early October, vpnMentor finally received a one-word response from Pray.com CEO, Steve Gatena: “Unsubscribe.”
While most of the misconfigured buckets’ 1.8 million files featured corporate content, those 80,000 exposed files represented a serious privacy and security risk.
They contained uploaded profile pics from app users, CSV files from churches using the app, with the names, home and email addresses, phone numbers and other info on churchgoers and PII of individuals donating to churches via the app.
Perhaps most damaging was a feature which uploads the entire phonebook of any user who gives the app permission to invite their friends to join. These “phonebooks” contained hundreds of contacts, with info including name, phone number, email, home and business address.
Many of the files also contained log-ins from private accounts, the report continued.
This data went all the way back to 2016.
The researchers warned that individuals caught up in the leak, some of whom had .gov and .mil email addresses, were at risk from follow-on phishing, identity fraud and account takeover.
The vpnMentor team noted that regulators for the CCPA and GDPR may want to investigate further. Five weeks after initial contact was made with Pray.com, the offending files were removed, although the S3 buckets apparently remain exposed.