Video and picture drip through misconfigured S3 buckets
Typically for photos or any other asserts, some form of Access Control List (ACL) is set up. A common way of implementing ACL would be for assets such as profile pictures
The main element would act as a вЂњpasswordвЂќ to gain access to the file, additionally the password would simply be provided users who require use of the image. When it comes to an app that is dating it’s going to be whoever the profile is presented to.
I’ve identified several misconfigured S3 buckets on The League through the research. All photos and videos are inadvertently made general general public, with metadata such as which user uploaded them so when. Typically the software would have the pictures through Cloudfront, a CDN on top for the buckets that are s3. Unfortunately the s3 that is underlying are severely misconfigured.
Side note: as much as i can inform, the profile UUID is arbitrarily produced server-side if the profile is done. To make certain that part is not likely to be very easy to guess. The filename is managed because of the customer; any filename is accepted by the server. In your client app it’s hardcoded to upload.jpg .
The seller has since disabled listObjects that are public. But, we nevertheless think there must be some randomness within the key. A timestamp cannot act as key.
internet protocol address doxing through website link previews
Link preview is something this is certainly difficult to get appropriate in a complete large amount of messaging apps. Continue reading “Therefore I reverse engineered two dating apps”