A webcam app installed by thousands of users left an exposed database packed with user data on the internet without a password.
The Elasticsearch database belonged to Adorcam, an app for viewing and controlling several webcam models including Zeeporte and Umino cameras. Security researcher Justin Paine discovered the data exposure and contacted Adorcam, which secured the database.
Paine said in a blog post shared with TechCrunch that the database contained about 124 million rows of data for the several thousand users, and included live details about the webcam — such as its location, whether the microphone was active and name of the WiFi network that the camera is connected to — and information about the webcam owner, such as email addresses.
Read this week's Decrypted.
Got a tip? Contact us securely using SecureDrop. Find out more here.
Paine also found evidence of the camera uploading captured stills from the webcam to the app's cloud, though he could not verify since the links had expired.
He also found hardcoded credentials in the database for the app's MQTT server, a lightweight messaging protocol often used in internet-connected devices. Paine did not test the credentials (as doing so would be unlawful in the U.S.), but also alerted the app maker to the vulnerability, who then changed the password.
Paine verified that the database was updating live by signing up with a new account and searching for his information in the database. Although the data was limited in sensitivity, Paine warned that a malicious hacker could craft convincing phishing emails, or use the information for extortion.
Adorcam did not return our emails with questions — including if the company planned to inform users of the incident.