A new mobile app described as the "Yelp for conservatives" is leaking user records and business reviews, according to a French security researcher.
The app describes itself as a service where users can read or write "reviews of local restaurant and businesses from a conservative perspective, helping insure[sic] you're safe when you shop and eat!"
In media interviews, Scott Wallace, the app's creator said he built the app after a series of incidents where conservatives were forced to leave or take MAGA gear off to eat at restaurants or enter various businesses across the US.
But according to Baptiste Robert, a French security researcher who goes online under the pseudonym of Elliot Anderson (the name of the main character from the Mr. Robot TV show about hackers), the 63red Safe app is leaking almost all of its data.
Robert says the app's source code contains the credentials of its author, but also a list of API endpoints to which it connects to store or retrieve data.
This backend API doesn't use any form of authentication, Robert said. This means that anyone can look at the app's source code, get the API endpoints, and then extract data from the app's server with no challenge or restriction.
Using this technique, the French researcher was able to determine that 4,466 users had registered and created profiles since the app's launch over the weekend.
For each profile, Robert said he was able to retrieve information such as username, email, avatar, follower count, following count, profile creation/update dates, a ban status, and something called a "hotscore."
Other API endpoints also allowed Robert to block users and tamper with the apps database logs and hide unauthorized intrusions.
ZDNet asked Robert in an interview earlier today if he could also tamper with the user reviews of certain restaurants or businesses.
"I didn't test, but I was able to do almost everything, to be frank," Robert told us.
Asked why he looked into the 63red Safe app, the researcher said this was because he found a similar leak in another mobile app for US-based conservatives in the past.
"Some months ago I analyzed the Donald Daters app three hours after its release. I thought it was fun to analyze the same kind of 'Donald Trump' related app," he told ZDNet.
As for 63red and the safety of its users, the researcher says he didn't notify the company of his findings, which he shared publicly in a Twitter thread.
"I didn't contact them," Robert told us. "Let's say I don't really like Trump fans."
The company also develops two other conservatives-focused apps named 63red News and 63red Talk, and working on another named 63red Gather. Robert hasn't looked into these apps yet, but he told ZDNet he will.
ZDNet has contacted 63red and its founder about Robert's findings earlier today so the company can take action and update its app to protect users' data.
"We take this matter very seriously, and have already taken action to additionally protect our data," a company spokesperson told ZDNet via email. "The security of our users, and conservatives generally, is our primary concern, and we will continue to improve our systems in any way possible to guarantee their safety."
"The individual who noticed the original issue never gained access to any user's passwords, nor were they able to change or alter any data on our servers, nor were they able to login to our servers or access our databases directly," the company said. "The sensitive information in which they were able to access has now been additionally protected."
"As we have seen across the United States, conservatives particularly have come under attack for their political beliefs - verbally, physically, and electronically. This is unacceptable in a free society, and we will take every action to stop it, and assist our users in that as well.
"We see this person's illegal and failed attempts to access our database servers as a politically-motivated attacked, and will be reporting it to the FBI later today," 63red added. "We hope that, just as in the case of many other politically-motivated internet attacks, this perpetrator will be brought to justice, and we will pursue this matter, and all other attacks, to the utmost extent of the law. We log all activity against all our servers, and will present those logs as evidence of a crime."
Article updated with 63red statements.
More data breach coverage:
- Companies are leaking sensitive files via Box accounts
- Citrix discloses security breach of internal network
- POS firm says hackers planted malware on customer networks
- Hackers tried to steal €13 million from Malta's Bank of Valletta
- Chinese hacking group backdoors products from three Asian gaming companies
- Saudi caller ID app leaves data of 5+ million users in unsecured MongoDB server
- Massive breach leaks 773 million email addresses, 21 million passwords CNET
- Hackers turn to data theft and resale on the Dark Web for higher payouts TechRepublic