Rising Indian social media app Slick left an inner database containing customers’ private info, together with information of school-going kids, publicly uncovered to the web for months.
Since a minimum of December 11, a database containing full names, cellular numbers, dates of start, and profile footage of Slick customers was left on-line and not using a password.
Bengaluru-based Slick launched in November 2022 by former Unacademy government Archit Nanda after pivoting from crypto and shutting his earlier startup CoinMint. His newest enterprise, Slick, is obtainable on each Android and iOS and works equally to Fuel, a compliments-based app that’s standard in the USA. The app additionally permits faculty and school college students to speak with and about their associates anonymously.
Safety researcher Anurag Sen from CloudDefense.ai discovered the uncovered database, and requested TechCrunch for assist in reporting the incident to the social media startup. Slick secured the database a short while after TechCrunch reached out on Friday.
Attributable to a misconfiguration, anybody acquainted with the database’s IP deal with may entry the database, which contained entries of over 153,000 customers on the time it was secured. TechCrunch additionally discovered that the database might be accessed by an easy-to-guess subdomain on Slick’s important web site.
The researcher additionally knowledgeable the India’s pc emergency response crew, generally known as CERT-In, the nation’s lead company for dealing with cybersecurity points.
Nanda confirmed to TechCrunch that Slick mounted the publicity. It’s not recognized if anybody apart from Sen discovered the database earlier than it was secured.
Slick attracted many youthful customers in India shortly after debuting final yr. Earlier this month, Nanda took to Twitter to announce that the app crossed 100,000 downloads.