back to article Data-slurping keyboard app makes Mongo mistake with user data

Another week, another open database left online, but this latest case has shown not only sloppy security but also how much data you’re giving up with some apps. On Tuesday security shop Kromtech released details on a MongoDB database it found unsecured online containing 577GB of data collected by predictive keyboard app AI. …

This post has been deleted by its author

vir
Bronze badge

Preemptive Hostility?

"So no one that uses our keyboard cannot be offended in any way and they all can feel safe, the data is completely flat and non-personal."

So everyone who uses their keyboard must be offended?

11
0
Anonymous Coward

Sleep-walking to the Data-Apocalypse one leak at a time

'No sensitive data there' - Who are they trying to kid? - Nothing to see here, except the sheer delusion of App-makers and Cloud peddlers everywhere:

"MongoDB database ... found unsecured online containing 577GB of data collected by predictive keyboard app AI.type from its over 31 million users. This included the name, email address and location, along with IMSI and IMEI numbers, IP address, phone spec and OS details, and links to user's social media profiles and photos. It also slurped 373 million names and phone numbers from the contacts of over six million users."

12
0
Silver badge

Why do people find the need to use a keyboard with Internet access?

It's pretty obvious what's going to happen.

Lineage OS or something like Hacker's Keyboard or Simple Keyboard will do the job just as well.

4
3
Silver badge

Re: Why do people find the need to use a keyboard with Internet access?

Good question, here's my take:

They're idiots who don't care about personal data security when presented with the the latest "shiny" or the next neat thing and they have more money than brains.

7
2
Silver badge

Re: Why do people find the need to use a keyboard with Internet access?

My "Swype + Dragon" keyboard just absolutely pounds me with requests for me to a) give it internet access and b) create an account and log in, every time it updates or I go to settings, so I can get k-rad kewl stuff like different themes. Whee. Different themes. Yay.

I have done neither, and I keep using it because it actually is a really good predictive keyboard. The predictions are spot-on, otherwise I would have tossed it long ago.

And Hacker's Keyboard sucks balls... I used it when it was the keyboard with the best ConnectBot compatibility, but since ConnectBot has improved its keyboard handing, I've happily uninstalled it.

1
0
Unhappy

Deluded

"any password or credit card information"... as though that is the only information of any value.

It is in this guys interest to continue the mis-truth that the rest of your data is worthless so you should hand it over for nothing.

As for leaving a database unsecured, that shows that they do not have a good tech team or at least an experienced one.

This guy sounds like a typical ceo of a tech company these days, arrogant and ignorant (just like the Twoo guy)... linkedin profile is full of terms like "organic growth" and not "data security" "company integrity".

14
0
Silver badge
Mushroom

Wow.

  • 31 million users
  • name, email address and location, along with IMSI and IMEI numbers, IP address, phone spec and OS details, and links to user's social media profiles and photos
  • 373 million names and phone numbers from the contacts of over six million users
  • Ai.type’s founder Eitan Fitusi, "...the archive only contained around half of the firm’s database information"
  • Ai.type’s founder Eitan Fitusi, “There is no sensitive data there,..."

Just wow.

17
0
Silver badge
Coffee/keyboard

"the data is completely flat and non-personal”

One would hope so will be his EEG after the lawsuits are over.

Seriously, that total panic tweet must have been sent from an Undisclosed Location. Hilarious.

6
0

"This included the name, email address and location, along with IMSI and IMEI numbers, IP address, phone spec and OS details, and links to user's social media profiles and photos. It also slurped 373 million names and phone numbers from the contacts of over six million users."

“There is no sensitive data there, we are not collecting\storing \sending any password or credit card information,”

if the data mentioned in the first quote isn't sensitive, I don't know what is.

6
0

Keyboard Apps?

Being an iOS user, I simply can't imagine why someone would switch out the keyboard that is provided by the developer of their OS, with a widget from the Play store, where you have zero assurance that it isn't up to something nefarious, like what happened here.

Perhaps one of those keyboard users can tell us, when installing this App, did it at any time warn that it would be transmitting every word your name, email, phone number and everything you ever typed in it to their servers?

And we wonder why we don't have security. No matter how secure people make their passwords, its all for nothing if it just winds up in your keyboard loggers, I mean, keyboard app makers, database.

2
3
Silver badge

Re: Keyboard Apps?

Really? With jokes like Apple spelling "corrections" and the letter "I" bug and crap like that? That's one reason I stay away from Apple.

Not only am I able to avoid baked-in keyboard bugs, but I've been able to try out a dozen predictive keyboards and find one that's decent and gets spot-on predictions for my writing style.

And my keyboard desperately wants me to enable internet access BUT I do have the option not to, and I haven't.

1
1
Anonymous Coward

Re: Keyboard Apps?

I think you've missed the point - it's a keyboard on a phone or similar device. Key-logging is by far the greater concern.

1
0
Silver badge

Re: Keyboard Apps?

Only in the developer of the OS also slurps using the default keyboard.

0
0
Silver badge
Holmes

Truer words have never been said

"It raises the question once again if it is really worth it for consumers to submit their data in exchange for free or discounted products or services that gain full access to their devices.”

It's time to bloody OUTLAW data slurping unless people specifically consent to something CLEARLY WRITTEN and SHORT. With the slurper is completely liable for any damage caused by the leakage!

Never happen, of course.

6
0

Predictive test app == keylogger?

Surely, if using a "predictive text" keyboard, there would be a history of the words you are typing on your phone in this database? A miscreant could easily sort through through the words and pick out sensitive PII from them.

0
0
Silver badge
Windows

I am hoping that it was

either a typo or a linguistic error that resulted in the phrase:

"This presents a real danger for cyber criminals who could commit fraud or scams....."

The terrifying bit here is that this db is associated with a keyboard app on phones, if this exists, is there another db out there from their "diagnostics" component that has pools of text that had been entered on these phones in "order to improve our application" that is similarly unprotected? I mean, "There is no sensitive data there...." --- so *cough* where is the "sensitive" data you dense as a plank moronic execubot?

1
0
Bronze badge

And yet....

It's STILL on the Google Play Store!

(Sigh)

0
0
Bronze badge

In the shady developers defense...

Most of the slurp is disclosed in the developers "privacy" policy (that nobody ever reads)

1.2. Data Collection. ai.type Application may collect statistical information (such as Ad-ID, IP address, Location based IP, contacts list, text messages, SSAID, IMEI, USER-ID , list of Apps installed, behavioral information) to ensure proper operation, verify information, tailor the keyboard to your specific preferences and ensure information security. ai.type will NOT publish NOR disclose any of user’s private and confidential information, such private ID numbers, driver’s and other license numbers, non-public contacts, or any other information that is not publicly accessible.

0
0
Silver badge

Re: In the shady developers defense...

"may collect "

Funny how the legalese is full of "may", "might" etc and when the actuality is always "will" and "does" etc. They like imply that they don't really collect everything, no sirree, we're ho nest and only collect what we really need to improve the app. Really, truly, honestly!

0
0
fpx
Facepalm

No Non-Free Option

Re: "It raises the question once again if it is really worth it for consumers to submit their data in exchange for free or discounted products or services"

I wish. I would love to pay for some apps to have ads or tracking removed. However, most of the time I do not have the option. Usually Apps only unlock additional features when you pay for them instead of using the free version, but do not disable tracking. Tracking users that are willing to pay is the most valuable data for them!

0
0

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Forums

Biting the hand that feeds IT © 1998–2018