Fayvo, an app designed to have all your favorites in one place, spilled user information exposing them to phishing and similar malicious attacks.
Cybernews researchers discovered a 1.5GB-strong open database with nearly 45 million documents. They were able to attribute it to Fayvo – a Saudi Arabia-based social media app.
Fayvo was designed to "keep track of all your favorite things" – from food to fashion – and is integrated with other platforms so users can always find them in one place.
The Android app has over 100,000 downloads on the Google Play Store and a 3.8-star rating (out of 5) based on over 600 reviews at the time of writing. Fayvo is also available for iOS users and has over 20,000 followers on Facebook, Instagram, and Twitter.
The dataset, which had been publicly accessible for 80 days, contained full names, usernames, email addresses, phone numbers, dates of birth, post details, and profile images.
Threat actors could exploit leaked credentials for phishing and vishing, among other attacks.
"Even if you feel like there is nothing to hide, that everything has already been leaked, you probably have some guilty pleasure favorites that you wouldn't like to become public information. That leak could add to that too, the possibilities of the leaks combined depends on the threat actors' creativity, but they would have had plenty of space for their malicious behaviors," Cybernews researchers said.
Our newsroom contacted the app developers for an official comment but has yet to receive a response.
Cybernews investigation led to a discovery of more leaks on Fayvo's side. The same server hosting the database in question was leaking its staging environment file. It eventually led to yet another unprotected environment file with sensitive business information, including:
- Multiple MySQL Access Credentials
- AWS Access Keys and Secrets with S3 Bucket names
- Business and marketing-related API Keys and their Secret Keys
- Miscellaneous geocode and similar geographical API keys
- Postgres Database Access Credentials
- Many private endpoints (for additional exploration for a malicious actor)
"At the time, Fayvo was leaking from all sides. Threat actors could easily abuse the information, given that the S3 bucket was named with the keyword 'uploads' attached to it, which could potentially let others switch the content provided for users, causing chaos and maliciously targeting Fayvo users," Cybernews researchers said.
If a malicious actor gets access to all of the Fayvo leaks, it could lead to significant financial damage both for customers and the platform itself.
Threat actors could abuse the platform to spread ransomware or even take over the server.
"Hidden malicious server access points have a market of their own. It is usually used for hosting spam-related content, injecting card skimmers, or spreading malware, and cross-platform projects like Fayvo would be interesting for many actors to aid in their malicious activities," Cybernews researchers said.
Card skimming, for example, has become a prevalent threat, especially around shopping holidays.
Researchers highlight the importance of endpoint protection.
"Even if you think that your endpoints are safe, it is important to treat them as if they're not, without exposing anything online unless necessary. When you're working with customer data and exposed customer uploads, it is a good idea to keep the access local," researchers noted.
If you are relying on bucket or cloud computing services, tap into their informational resources since they have plenty of articles on protecting your instances with strict access control rules, meaning even if your credentials get leaked, no one can access them.
More from Cybernews:
Subscribe to our newsletter