A webcam app installed by thousands of users packed an exposed database with user data on the Internet without a password.
Elitesearch was related to the database Adorcam, An app for viewing and controlling many webcam models, including Zeeporte and Umino cameras. Security researcher Justin Penn researched the data exposure and contacted Adorcam, which secured the database.
Pine said Shared in a blog post With TechCrunch that database contained approximately 124 million rows of data for several thousand users, and included live details about the webcam – such as its location, whether the microphone was active and the name of the WiFi network that the camera is connected to – And information about the webcam owner, such as email addresses.
Pine also found evidence of the camera being uploaded from the camera to the app’s cloud, though he could not verify since the link expired.
They also found hardcoded credentials in the database for the app’s MQTT server, a lightweight Messaging protocol Often used in Internet-connected devices. Pine did not test credentials (because doing so would be illegal in the US), but also alerted the app creator to the vulnerability, which then changed the password.
Pine verified that the database was live-updating by signing up with a new account and searching for its information in the database. Although the data was limited in sensitivity, Pine warned that a malicious hacker could assure a phishing email, or use the information for extortion.
Adorcam did not return our email with questions – including if the company planned to notify users of the incident.