More than 50.55 million user accounts of GOMO apps, which are popular amongst children, have been exposed after a port was left opened in an administrative oversight. The incident is reported to have potentially compromised personal data such as user names, passwords, mobile numbers, and unique device information.
The apps were produced by Guangzhou-based developer Sungy Mobile, and included GOMO Reading, GO Launcher, and GO Keyboard. The Chinese developer said on its website that its app portfolio clocked more than 2 billion downloads and were available in more than 200 countries and 48 languages.
The security incident was first discovered on May 25, 2018, by an independent researcher, named “Flash Gordon”, who said the data was left exposed on an open Port 80 in a backup system. The researcher found a second IP address on May 27, which required no login credentials and exposed all of the backup data in the system.
Along with Databreaches.net, which later published the discovery, “Flash Gordon” tried unsuccessfully to contact the developer, leaving the hole unplugged for five days. The compromised data was hosted in Hong Kong.
On June 2, following the researchers’ efforts to notify Sungy and its hosting provider, NTT Com Asia, the servers were no longer openly available.
Databreaches.net later said it received a reply from GOMO on August 16, which revealed the port was left open after its tech team had “fixed an issue on AWS” and “failed to close” Port 80. Following the oversight, it further noted, additional manpower had been deployed to “double check” tasks involving GOMO’s database and “enhanced encryption” had been implemented on all “user-related data”, including email and user interface.
The researchers noted that the misconfiguration had exposed not only GOMO user data, but also information about Sungy’s application development as well as internal and system specifications.
“Data from every application as well as deployment, product, administration, statistics, payment gateways, and much more was left unprotected in plaintext,” said Databreaches.net. “The databases also contained a lot of data that did not appear to be directly linked to their own applications, but might be related to other products of theirs involving [those] providing digital marketing and game distribution services for merchants, brands, and other companies– material that might be especially attractive to threat actors who search for or stumble over it.”
Sungy also offers a mobile advertising platform.
According to Databreaches.net, the exposed data included accounts of customers residing in the US and the open port had revealed links to application-based information such as the users’ game credits and it-store purchases.
Due to its misconfiguration, GOMO also exposed 477,521 account IDs of customers who subscribed to the vendor’s VPN service. Databreaches.net noted that roster logs revealed the Chinese developer’s backup systems were regularly updated.
Commenting on the incident, Netskope’s director of product management Gautam Kanaparthi said: “The exposed Sungy Mobile database is a classic case of misconfiguration. All the security precautions in the world can’t protect you from a careless systems administrator forgetting to set a port password, and hackers are becoming increasingly good at sniffing out databases that require little to no authentication to access.
“At the end of the day, mistakes like these aren’t ‘patchable’,” said Kanaparthi, who touted the benefits for automation tools to address human errors.
ZDNet early this week reached out to GOMO with questions about the matter and whether affected customers as well as the relevant authorities had been informed about the data exposure. We will update the article when GOMO responds.