Therefore I reverse engineered two apps that are dating.

Therefore I reverse engineered two apps that are dating.

Video and picture drip through misconfigured S3 buckets

Typically for images or other asserts, some sort of Access Control List (ACL) will be set up. For assets such as for instance profile photos, a standard method of applying ACL will be:

The important thing would act as a “password” to gain access to the file, plus the password would simply be provided users who require use of the image. When it comes to an app that is dating it is whoever the profile is presented to.

We have identified several misconfigured buckets that are s3 The League through the research. All photos and videos are inadvertently made general general general public, with metadata such as which user uploaded them as soon as. Usually the application would obtain the pictures through Cloudfront, a CDN on top for the S3 buckets. Unfortunately the s3 that is underlying are severely misconfigured. Continue reading