Personal information belonging to over 31 million business of a renouned virtual keyboard app has leaked online, after the app’s developer unsuccessful to secure the database’s server.
The server is owned by Eitan Fitusi, co-founder of AI.type, a customizable and personalizable on-screen keyboard, which boasts some-more than 40 million users opposite the world.
But the server wasn’t stable with a password, permitting anyone to entrance the company’s database of user records, totaling some-more than 577 gigabytes of supportive data.
The database appears to only enclose annals on the app’s Android users.
The find was found by confidence researchers at the Kromtech Security Center, which posted details of the bearing alongside ZDNet. The information was only cumulative after several attempts to hit Fitusi, who concurred the confidence relapse this weekend. The server has given been secured, but Fitusi did not respond when we asked for comment.
ZDNet obtained a apportionment of the database to verify.
Each record contains a simple collected data, including the user’s full name, email addresses, and how many days the app was installed. Each record also enclosed a user’s accurate location, including their city and country.
Other annals are significantly some-more detailed. The app has a free version, which per its remoteness policy collects some-more information than the paid version, which the company uses to monetize with advertising.
More finish annals also embody the device’s IMSI and IMEI number, the device’s make and model, its screen resolution, and the device’s specific Android version.
A vast apportionment of the annals also enclosed the user’s phone series and the name of their dungeon phone provider, and in some cases their IP residence and name of their internet provider if connected to Wi-Fi. Many annals enclose specific sum of a user’s open Google profile, including email addresses, dates of birth, genders, and form photos.
We also found several tables of hit information uploaded from a user’s phone. One list listed 10.7 million email addresses, while another contained 374.6 million phone numbers. It’s not transparent for what reason the app uploaded email addresses and phone numbers of contacts on users’ phones.
Several tables contained lists of any app commissioned on a user’s device, such as banking apps and dating apps.
It’s not surprising for on-screen keyboards to have wide-ranging entrance to some of the top levels of Android permissions. Android will advise users that keyboards “may be means to collect all the content that you type, including personal information like passwords and credit label numbers.” AI.type is no exception, with review entrance to hit data, content messages, photos and video entrance and other on-device storage, record audio, and full network access.
For its part, AI.type says on its website that user’s remoteness “is the categorical concern.” Any content entered on the keyboard “stays encrypted and private,” says the company.
But the database wasn’t encrypted. We also found justification that content entered on the keyboard does get available and stored by the company, yet to what border stays unclear.
The company also promises to “never share your information or learn from cue fields,” but we saw one list containing some-more than 8.6 million entries of content that had been entered using the keyboard, which enclosed private and supportive information, like phone numbers, web hunt terms, and in some cases concatenated email addresses and analogous passwords.
Bob Diachenko, conduct of communications at Kromtech Security Center, warned of the dangers of using free apps.
“Theoretically, it is judicious that anyone who has downloaded and commissioned the Ai.Type virtual keyboard on their phone has had all of their phone information unprotected publicly online,” he told ZDNet. “This presents a genuine risk for cyber criminals who could dedicate rascal or scams using such minute information about the user.”
“It raises the doubt once again if it is really worth it for consumers to contention their information in sell for free or ignored products or services that benefit full entrance to their devices,” he added.
“It is transparent that information is profitable and everybody wants entrance to it for opposite reasons,” he said. “Some wish to sell the information they collect, others use it for targeted marketing, predictive synthetic intelligence, and cyber criminals wish to use it to make income in some-more and some-more artistic ways.”
Contact me securely: Zack Whittaker can be reached firmly on Signal and WhatsApp at 646-755–8849, and his PGP fingerprint for email is: 4D0E 92F2 E36A EC51 DAAE 5D97 CB8C 15FA EB6C EEA5.
This essay creatively seemed on ZDNet.