Horror story app Chilling haunted by loose permissions, spilling data


There is no autocorrect for cybersecurity, and one mistake can leave doors for attackers open for months. Chilling, a subscription-based app featuring narrated horror stories, was discovered leaking user data and sensitive secrets for nine months.

On July 16th, 2024, the Cybernews research team discovered an unprotected environment configuration file (.env). These files should be protected at all costs, as they hold the most precious secrets used by the web servers.

In this case, the .env file contained credentials for multiple databases, private AWS, and SSL keys belonging to the Chilling app.

“The leaked secrets allow potential attackers to completely take over the app’s infrastructure in the cloud, manipulate and exfiltrate data. The app has over 100,000 downloads on the Google Play store, and the users should be aware that their data was not handled properly,” our researchers said.

According to the Data Safety self-declaration on Google Play Store, the Chilling app doesn’t collect or share any user data.

However, some of the exposed credentials were for a database called ‘prod_users,’ which likely contained sensitive user information that could be used to identify the individual. Exposed data could lead to phishing attacks, privacy violations, or even identity theft.

According to the Google Play store, the app requires dangerous permissions, such as reading, modifying, or deleting storage contents, taking pictures and videos, viewing WiFi and network connections, or drawing over other apps.

“Even if no user data were sent to the company’s servers, attackers could spy on users exploiting the compromised infrastructure,” researchers said.

Search engines indexed this file for the first time in October 2023, which means the data was left exposed for nine months. The environment file appears to have been closed as of July 18th, 2024.

Cybernews has reached out to Chilling for a comment and will include their response if received.

According to the description, Chilling was founded by two friends “whose lives were shaped by the Horror Genre.”

What was in the leak?

The exposed credentials included the following:

  • Multiple credentials for databases, such as ‘users,’ ‘video,’ ‘story,’ and others.
  • AWS ID, access key, bucket name, and bucket path.
  • SSL private key and SSL fullchain certificate.

“An attacker with access to database credentials could connect to them and potentially gain full access to all stored data. The prod_users database is likely to contain personally identifiable information, and over 100,000 users could face risks such as identity theft and privacy breaches,” Cybernews researchers said.

AWS keys provide access to Chilling’s AWS account and can be used to perform any action allowed by the permissions for the associated key. This can include accessing S3 buckets (simple storage service), launching EC2 (virtual servers) instances, manipulating databases, and more.

chilling-leak

“Access to the S3 bucket name and path allows listing, reading, uploading, modifying, or deleting objects in the bucket, leading to potential data breaches,” the researchers said. “The AWS credentials can potentially allow the full takeover of Chilling's AWS account, enabling manipulation of cloud resources.”

The SSL private key is a critical component in securing online communications, as it is used to decrypt the data and sign digital certificates.

“The compromise of the SSL private key threatens the integrity and confidentiality of encrypted communications, allowing attackers to decrypt HTTPS traffic, impersonate servers, and sign malicious data, thus facilitating man-in-the-middle attacks and data modification,” our researchers warned.

They believe that exposure of multiple credentials and keys poses a severe security risk to Chilling.

To mitigate the incident, the company should immediately render the .env file inaccessible using any type of authorization or authentication, revoke exposed secrets and credentials, and implement the following recommendations:

  • Investigate access logs to identify whether any threat actors have accessed the exposed sensitive information.
  • Rotate all exposed credentials to mitigate risks.
  • Implement stricter access controls, use environment-specific configurations, and encrypt sensitive data at rest and in transit.
  • Ensure multi-factor authentication (MFA) is enabled so that all users can add an additional layer of security in case the account gets compromised.
  • Inform the affected users and regulators if needed.

Exposing .env files is one of the most common mistakes by administrators. There are many reasons why this may happen, ranging from version control mishaps, misconfigured web servers, inadequate access controls, deployment errors, and human error or negligence.