Become a TechRadar Insider
- The breach directly granted access to 22 million session records and 3.47 million usernames and email addresses or similar identifiers
- The platform, which claims privacy and security as core tenets of its offerings, is often used for intimate or explicit conversations with strangers, making this security flaw a critical issue
- The leaks also contained sensitive metadata that can be tied back to users, including device details, gender, payment information, and geolocation-specific information such as IP addresses, country, and language
In what is being treated as a major cybersecurity lapse, the randomized video chat platform FTF Live may have unwittingly compromised millions of its users due to a misconfiguration.
The breach effectively exposed information from potentially as many as 3.47 million identifiable users across 22 million sessions, thanks to an openly accessible Kibana dashboard spotted by security researchers, which was subsequently disclosed to the company's owners.
A significant security lapse
The leak, which essentially allowed access to significant amounts of user metadata, leaves users of the platform exposed when it comes to their identity, location, and payment information, allowing for the targeting of vulnerable users, such as those in LGBTQ+ communities abroad, those engaging in sensitive or explicit conversations, and even minors.
The leak also exposed backend logs of the service, thanks to an unsecured instance of Dozzle, a browser-based log viewer, which researchers point out is a secondary exposure for the platform, that not only provided a birds-eye view of how the entire service functioned, but also exposed plain-text passwords, session tokens, and even internal API requests.
Cybernews researchers said: “The combination of public Kibana and public Dozzle instances creates a severe security risk,” while noting that they had already made attempts to contact the company about the severity of their findings.
While Cybernews attempted to contact the company behind the FTF Live platform, it was met with silence, even as it sought to navigate a complex ownership structure that it says raises transparency concerns.
The since-taken-down Android App was published under 'Burhan LTD', while the privacy policy on the site identifies the owner as Cyprus-based Cooy Ads Ltd, even as its data controller, customer support, and branding seem to be under the Pixover name.
A lack of response from the company has researchers even more concerned, given the severity of the disclosure, the sheer number of records potentially being exposed, and the fact that the duration of public exposure has yet to be established.
“The leak turns what many people assume to be anonymous and throwaway interaction into a highly traceable data trail,” researchers noted while highlighting that issues include account compromises, targeted scams, or even stalking by motivated entities.
While it is important to note that no raw video conversations appear to have been exposed, the breach does allow users to be tracked, identified, and monitored by a 3rd party with access to said information, marking both a serious breach and an alarming level of inaction from the owners of the website, as noted by researchers who point to it as a broader industry issue surrounding “anonymous” communication platforms.
Follow TechRadar on Google News and add us as a preferred source to get our expert news, reviews, and opinion in your feeds.
