Photo Editing App 'Fotor' Exposed 13 Million Users Online 

Secure Thoughts collaborated with Security Expert Jeremiah Fowler to expose a massive leak of user information by a photo editing application. Here are his findings: 

On October 15th I discovered a non-password protected database that contained a large number of internal records. There was a total of more than 123 million records exposed that contained a combination of test and production data. The most disturbing part of the discovery was a massive collection of 13 million user records that included their names, email addresses, user ID numbers in plain text.

Often it can take a very long time to research who is responsible for the exposed data and how to contact them. Many times companies or organizations will try to make their data anonymous or encrypt the records. I have discovered many records where I knew they contained something sensitive but couldn’t figure out who to report the findings to. In this particular case it was easy to find the owner of the database because all of the folders contained the name “Fotor”. Very quickly there was enough evidence in the data to trace it back to Fotor, a multi-platform photo editing tool.

I immediately sent a responsible disclosure notice of my findings. The following day I got a reply that my message was forwarded and someone would be getting back to me. Public access was restricted shortly after my notice. I received a follow-up email on October 19th and acknowledgment of my notification that said:

“As the trouble shooting by our technical guys are still ongoing, we assume that it may take a few days. Meanwhile, in order to express our appreciation to your alert in a timely manner, we’d like to offer each of you a redeem code for an annual subscription (the 39.99 USD package) of Fotor website service. You are free to either subscribe yourself or send it to a friend”.

It is always good to see a company that values data security, online privacy, and understands bug bounties or discovery rewards are a common practice. Having a bug bounty or reward program is a common-sense solution to have outside eyes on your network and it is how many security researchers fund their work. This is the first time someone has offered me a free subscription for a service that has just exposed the inner workings of their business, internal network data, and user data online as a reply to my responsible disclosure notification.

The Risk of This Exposure

Data exposures happen to companies big and small and users often have no control over how their data is collected or stored. I am not implying that their users are in imminent danger, but there are real risks to their online privacy. When you use an app or service it creates a relationship of trust with that company. Social engineering is now one of the most common techniques used by cybercriminals. Using social engineering to obtain personal information is a real threat to being a victim of identity theft or fraud.

Let’s say hypothetically someone had a list of 13 million users’ information and emailed those users from a spoofed or similar email asking for them to update their payment information. You can guarantee that a percentage of users would provide their information believing that this was a legitimate email based on the internal account information. Or even easier would be to add those emails to a spam phishing, or malware database and target them personally by name. A simple email with a user’s name in the subject and a malware link is a time tested method still being used today.

What the database contained:

• This database was set to open and visible in any browser (publicly accessible) and anyone could edit, download, or even delete data without administrative credentials.
• 123,667,540 total records accessible.
• Exposed records that contain internal records that include testing and production data.
• 13 Million Users’ Names, Email Address and geolocation.
• Users could be targeted in a phishing attack from a relationship of trust.
• Database at risk for ransomware, malware, or an automated Meow bot attack.
• Middleware and build information that could allow for a secondary path for malware. IP addresses, Ports, Pathways, and storage info that cybercriminals could exploit to access deeper into the network.
• IP addresses, Ports, Pathways, and storage info that cybercriminals could exploit to access deeper into the network.

It is unclear how long these records were exposed or who else may have had access to this data. It is also unclear if users were ever informed of the data breach. Fotor (Everimaging Ltd.) is based in Chengdu, Sichuan, China.  According to the description on the Google play store “Fotor is an online photo editing program with 350 million users from all around the globe”. I did see geolocation logging in the user accounts from multiple countries.

Data breaches and security incidents will continue to happen as new vulnerabilities appear in the ever-changing cycle of updates, middleware, and operating systems within their environment. Each new vulnerability is a potential backdoor into the network waiting to be hacked. There seems to be no end in sight and with automated bots and ransomware attacks on the rise, exposed data has never been more vulnerable than it is now.

As difficult as it can be for any company or organization to be open and honest about a data exposure, companies must do more to protect and notify their users in the event of a data breach. Users trust that when they try or buy a service or application that their data is safe. Companies have an obligation to inform users so that they can be aware and look for suspicious emails or contacts that may arrive from the data incident. Some US and European laws require companies to notify users if their data has been exposed, but it is unclear if the Chinese based company would face the same requirements. No further reply was given by Fotor or their parent company Everimaging Ltd. at the time of publication.