The Christian faith app Pray.com has leaked private data for up to 10m persons, says researchers.
Information exposed in a public cloud bucket included PII, church-donation information, photos & users’ contact lists.
The app offers “daily prayer & Bible stories to inspire, educate & help you sleep” on a subscription basis. Subscriptions run between US $50-$120. It offers a host of audio content, including services from US televangelists like Joel Osteen, & religious recordings using celebrity voices like Kristin Bell & James Earl Jones.
It has been downloaded by more than 1m people on Google Play & ranks as the #24 lifestyle app in the Apple App store.
vpnMentor analysts found some open, publicly accessible cloud databases (Amazon Web Services S3 buckets, in this case) belonging to Pray.com, containing 1.9m files – around 262Gb worth of data.
The majority was internal information, but one of the buckets contained concerning data, the researchers explained. 80,000 files contained various personal identifiable information (PII) for 10s of millions of people, & not just from Pray.com users.
These included photos uploaded by the app’s users (profile photos & avatars for Pray.com’s private “Communities” social network), including those of minors.
The files included CSV files from churches that use the app to communicate with their congregations, the investigation found.
These files contained lists of the church’s attendees, with information for each churchgoer that included names, home & email addresses, phone numbers & marital status.
The app also says that it facilitates church donations & users can donate directly via the app to any church that is part of the Pray.com ecosystem.
The donations were also logged in the bucket, along with the donation amount, the donor’s PII, Pray.com’s fee for processing the donation. However, missing were any records of donations being forwarded to churches.
“The long lists of donations processed by Pray.com would give cyber-criminals invaluable insight into the finances of app users & an opportunity to contact them appearing as the app, querying a previous donation,” researchers observed.
The cloud database included whole phone books from users. When a person joins the Communities social network, the app asks if it can invite friends to join. If a user says yes, the app uploads the user’s entire ‘phonebook’ from their device, containing all contacts & associated information.
Researchers explained that many of these phonebooks contained 100s of individual contacts, each one revealing that person’s PII data, including names, phone numbers, email, home & business addresses, & other details, like company names & family ties. Some of the entries included login information for private accounts.
“The people whose data Pray.com had stored in these phonebook files were not app users,” according to vpnMentor’s analysis this week. “They were simply people whose contact details had been saved on a Pray.com user’s device. In total, we believe Pray.com stored up to 10m peoples’ private data without their direct permission & without its users realising they were allowing it to happen.”
Interestingly, a little over 80,000 files were made private, only accessible to people with the right security permissions. However, these files were being exposed through a 2nd Amazon service, vpnMentor found, demonstrating the complexity that cloud configurations can entail.
“Through further investigation, we learned that Pray.com had protected some files, setting them as private on the buckets to limit access,” they explained. “However, at the same time, Pray.com had integrated its S3 buckets with another AWS service, the AWS CloudFront content delivery network (CDN).
Cloudfront lets app developers to cache content on proxy servers hosted by AWS around the world & closer to an app’s users, rather than load those files from the app’s servers. Thus, any files on the S3 buckets could be indirectly viewed & accessed through the CDN, regardless of their individual security settings.”
They added, “Pray.com’s developers accidentally created a backdoor that gave complete access to all the files they had tried to protect.”
Chris DeRamus, VP of Technology for the Cloud Security Practice at Rapid7, noted that companies need to be aware that the self-service nature of cloud opens them up to increased risk.
“Unprotected S3 buckets & databases are a common occurrence, & one that attackers continue to exploit. In fact, out of 196 breaches caused by cloud misconfigurations in 2018 & 2019, S3 bucket misconﬁgurations accounted for 16 percent of those breaches,” he commented.
“Organisations should take the appropriate security measures, such as security automation, to ensure that data is protected at all times. If risk is not considered & addressed initially, organisations can face fines, legal fees, and ultimately their viability.”
The database was found on Oct. 6, but it was not made private despite many attempts to contact Pray.com about the problem, according to vpnMentor. When the researchers contacted Amazon directly, the contact files were deleted from the open bucket on Nov. 17.
While it is unknown how long the files were exposed, some of the data dated back to 2016, researchers warned.
“By not protecting its users’ data & while also aggressively harvesting the data of their friends & family – Pray.com has exposed millions of people to various dangers like phishing, identity theft & account takeover,” suggested vpnMentor. “The implications for the app’s users, & the general public, should not be understated.”