Therefore I reverse engineered two dating apps.

Therefore I reverse engineered two dating apps.

Video and picture drip through misconfigured S3 buckets

Typically for images or other asserts, some sort of Access Control List (ACL) could be in position. A common way of implementing ACL would be for assets such as profile pictures

The main element would act as a “password” to gain access to the file, in addition to password would simply be offered users whom need usage of the image. When it comes to a dating application, it is whoever the profile is presented to.

We have identified several misconfigured buckets that are s3 The League throughout the research. All photos and videos are inadvertently made general general general public, with metadata such as which user uploaded them so when. Generally the application would have the pictures through Cloudfront, a CDN on top regarding the buckets that are s3. Unfortunately the s3 that is underlying are severely misconfigured.

Side note: in so far as i can inform, the profile UUID is arbitrarily created server-side if the profile is established. To ensure right part is not likely to be very easy to imagine. The filename is managed because of the customer; the host takes any filename. However in your client app its hardcoded to upload.jpg .

The seller has since disabled general public ListObjects. But, we nevertheless think there must be some randomness into the key. A timestamp cannot act as key.

internet protocol address doxing through website website link previews

Link preview is something this is certainly difficult to get appropriate in large amount of messaging apps. You can find typically three techniques for website website website link previews:

The League uses recipient-side link previews. „Therefore I reverse engineered two dating apps.“ weiterlesen