ADVERTISEMENT

iOS privacy app can’t keep secrets – and spills user notes with passwords

Before you entrust your private data to any app, ask yourself: who’s really on the other side of the screen? Research reveals that the Apple iOS app used to securely store private data has instead left it accessible to anyone on the internet.

ios photo vault

Image by Cybernews

Paulina Okunytė
Paulina Okunytė Senior Journalist
Apr 9, 2025 Updated: 9 April 2025 4 min read
  • iOS app Photo Vault, dedicated to storing and protecting private user data, exposed user passwords, notes, and photo information to anyone on the internet
  • The leak was caused by a passwordless Firebase database
  • Attackers could track the data users upload in real-time
  • The iPhone app also leaked other sensitive secrets that could facilitate further cyberattacks
  • After the disclosure, the developer of the app secured access to user data
iOS photo vault leak
Leaked metadata reveals an album storing AI generated intimate images

What did the iOS app leak?

  • 56 password entries
  • 81 notes, some of which were also titled “Passwords”
  • Metadata for 17 thousand photo albums created and stored by users
iOS photo vault leak
One of the users stored what looks like intimate images stolen from other people's online accounts.
iOS photo vault leak
Leaked notes that seem to belong to a drug dealer
iOS photo vault leak
Passwords stored in a note.
ADVERTISEMENT
iOS photo vault leak
Passwords saved by a user

The safety app is unsafe by design

  • API Key
  • Client ID
  • Google App ID
  • Project ID
  • Reversed Client ID
  • Storage bucket
  • GAD Application Identifier
  • Facebook App ID
  • Database URL

iOS apps are leaking secrets, and it’s a serious problem

Disclosure timeline:

ADVERTISEMENT