A cloud misconfiguration at a now-defunct social media app has exposed hundreds of thousands of files, including explicit photos of users that they thought had been deleted, according to vpnMentor.
A research team led by Noam Rotem discovered the AWS S3 bucket on October 13 last year, tracing it back to Fleek and owner Squid Inc.
The app apparently marketed itself as an uncensored alternative to Snapchat “Campus Stories.” A hit with US college students, it promised to automatically delete photos after a short period, encouraging users to post salacious pics of themselves engaged in sexually explicit and illegal activities.
However, as the researchers found, many photos were not deleted at all — in fact, they were still being stored long after the app was closed down in 2019.
“Many of these were shared in folders given offensive and derogatory names like ‘asianAss’ by the app’s developers,” vpnMentor explained.
“Fleek users were mostly college students naive of the implications of uploading images that show them engaging in embarrassing and criminal activities, such as drug use. If cyber-criminals obtained these images and knew how to find the people exposed, they could easily target them and blackmail them for large sums of money.”
In total, the research team found around 377,000 files in the 32GB bucket. This also included photos and bot scripts which it’s believed relate to a paid chat room service the app’s owners were trying to promote to users.
To encourage male users, the app’s owners appear to have created numerous bot accounts using images of women scraped from the internet. To ‘chat’ to these bots, users would have to pay a fee.
Having contacted both Squid Inc’s founder and AWS to notify about the privacy snafu, vpnMentor found the bucket had been secured about a week after it was discovered. However, it’s unclear whether the data has been deleted or not.
“Never share anything you’d be embarrassed about online — few systems are 100% secure from hacking, leaks, or dishonest people saving incriminating images to hurt you in the future,” warned vpnMentor.
“It’s also important to know what happens to your data after a company that has collected it goes bankrupt or shuts down. Often, with smaller companies, the owner maintains possession of the data, and there’s very little accountability stopping them from misusing it or sharing with others in the future.”