Keyboard app AI.type leaks data of 31m users

Federico Mansilla
Diciembre 7, 2017

On Tuesday security shop Kromtech released details on a MongoDB database it found unsecured online containing 577GB of data collected by predictive keyboard app AI.type from its over 31 million users.

The app, AI.type, stored its data on a server owned by company co-founder Eitan Fitusi.

The massive trove of information was not protected by a password, meaning anyone with the direct URL to the database could access the information stored within.

The data leak, according to the researchers, only affects the app on Android and not iOS, so iPhone users can keep feeling smug.

Fitusi who acknowledged the breach has secured the server since the news went public but did not respond to any questions.

ZDNet who obtained a portion of the database to verify the information collected by the servers made a few scarier revelations to the breach. The data also contained information around user's precise location, including city and country.

Available on iOS and Android, AI.type is a keyboard app which has around 40 million users that offers both a free and paid for version. Accompanying the numbers were the make and model of the device, its screen resolution and the version of Android it was running. ZDNet said it also uncovered the contact details from user's address books.

We also found several tables of contact data uploaded from a user's phone. These weren't insignificant details either, they contained phone numbers, web searches and email addresses and corresponding passwords. One table listed 10.7 million email addresses, while another contained 374.6 million phone numbers.

More news: Document: Mariah Woods may have been sexually abused by mom's boyfriend

"Once again, a reckless software vendor has carelessly left its users' sensitive data available for anyone to grab", says Graham Cluley, a cybersecurity expert to GearBrain.

It's not unusual for on-screen keyboards to have wide-ranging access to some of the highest levels of Android permissions.

Among the compromised data are dates of birth, email addresses, passwords and information from their Google accounts, as well as all the actual text typed using the keyboard. AI.type is no exception, with read access to contact data, text messages, photos and video access and other on-device storage, record audio, and full network access.

AI.type says on its website that user's privacy 'is our main concern'.

And the app touts privacy as a big focus, noting that text tapped into the keyboard is private and encrypted. It also slurped 373 million names and phone numbers from the contacts of over six million users.

Bob Diachenko from the Kromtech Security Centre, a part of security company Mackeeper, highlighted the data access asked by the app at the time of installation was "shocking". At this point, Kromtech warns that anyone who had ever downloaded and installed ai.type keyboard should consider their data out in the open.

"This presents a real danger for cyber criminals who could commit fraud or scams using such detailed information about the user", he added.

'It is clear that data is valuable and everyone wants access to it for different reasons. However, he outlined that most of the data was insensitive.

Otros informes por

Discuta este artículo