Rising Indian social media app Slick left an inside database containing customers’ private info, together with information of school-going youngsters, publicly uncovered to the web for months.
Since not less than December 11, a database containing full names, cell numbers, dates of beginning, and profile photos of Slick customers was left on-line and not using a password.
Bengaluru-based Slick launched in November 2022 by former Unacademy government Archit Nanda after pivoting from crypto and shutting his earlier startup CoinMint. His newest enterprise, Slick, is on the market on each Android and iOS and works equally to Gasoline, a compliments-based app that’s in style in the US. The app additionally permits college and school college students to speak with and about their pals anonymously.
Safety researcher Anurag Sen from CloudDefense.ai discovered the uncovered database, and requested TechCrunch for assist in reporting the incident to the social media startup. Slick secured the database a short while after TechCrunch reached out on Friday.
As a consequence of a misconfiguration, anybody aware of the database’s IP handle might entry the database, which contained entries of over 153,000 customers on the time it was secured. TechCrunch additionally discovered that the database could possibly be accessed by an easy-to-guess subdomain on Slick’s fundamental web site.
The researcher additionally knowledgeable the India’s laptop emergency response crew, often known as CERT-In, the nation’s lead company for dealing with cybersecurity points.
Nanda confirmed to TechCrunch that Slick mounted the publicity. It’s not recognized if anybody aside from Sen discovered the database earlier than it was secured.
Slick attracted many youthful customers in India shortly after debuting final yr. Earlier this month, Nanda took to Twitter to announce that the app crossed 100,000 downloads.