- The breach provided direct access to 22 million session records and 3.47 million usernames and email addresses or similar identifiers
- The platform, which claims privacy and security as core principles of its offerings, is often used for intimate or explicit conversations with strangers, making this security flaw a critical issue
- The leak also contained sensitive metadata that can be linked back to users, including device details, gender, payment information and geolocation-specific information such as IP addresses, country and language
In what is being treated as a major cybersecurity outage, randomized video chat platform FTF Live may have inadvertently compromised millions of its users due to a misconfiguration.
The breach effectively exposed information from potentially as many as 3.47 million identifiable users across 22 million sessions, thanks to an openly accessible Kibana dashboard discovered by security researchers, which was subsequently disclosed to the company’s owners.
A significant security loss
The leak, which essentially provided access to significant amounts of user metadata, leaves users of the platform exposed when it comes to their identity, location and payment information, allowing for the targeting of vulnerable users, such as those in LGBTQ+ communities abroad, those engaging in sensitive or explicit conversations, and even minors.
The leak also exposed backend logs of the service, thanks to an unsecured instance of Dozzle, a browser-based log viewer that researchers point out is a secondary exposure to the platform that not only provided a bird’s-eye view of how the entire service worked, but also exposed plain text passwords, session tokens, and even internal API requests.
Cybernews researchers said, “The combination of public Kibana and public Dozzle instances creates a serious security risk,” while noting that they had already made attempts to contact the company about the seriousness of their findings.
While Cybernews tried to contact the company behind the FTF Live platform, it was met with silence even as it tried to navigate a complex ownership structure that it says raises concerns about transparency.
The since-removed Android app was published under ‘Burhan LTD’, while the website’s privacy policy identifies the owner as Cyprus-based Cooy Ads Ltd, although its data controller, customer support and branding appear to be under the Pixover name.
The lack of response from the company makes the researchers even more concerned given the seriousness of the disclosure, the large number of records potentially exposed and the fact that the duration of public exposure has yet to be determined.
“The leak turns what many people assume to be anonymous and one-time interactions into a highly traceable data trail,” researchers noted, while highlighting that issues include account compromise, targeted fraud, or even stalking by motivated entities.
While it’s important to note that no raw video conversations appear to have been exposed, the breach allows users to be tracked, identified and monitored by a 3rd party with access to said information, marking both a serious breach and an alarming level of inaction on the part of the site’s owners, as noted by researchers who point to it as a wider industry problem surrounding “anonymous” communication platforms.
Follow TechRadar on Google News and add us as a preferred source to get our expert news, reviews and opinions in your feeds.
