Mobile keyboard developer exposed full data of 31m users

Adjust Comment Print

As detailed in a new report from ZDNet, personal data from over 31 million users of the popular AI.type customizable keyboard has been leaked to the public. Users of the app may want to think twice about typing any sensitive information while using the app, as it is likely to be sucked up and stored in a server.

For users who are anxious they may have typed a password or other sensitive information while using the app, there is little recourse as it's impossible to know for sure if that data was recorded and exposed. Other information leaked included the names of apps downloaded on users' phones.

Security vendor Kromtech discovered a MongoDB database instance belonging to AI.Type - a company that develops a personalised keyboard app for Google's Android and Apple's iOS - with no access controls, allowing anyone to connect to it over the internet.

Another week, another open database left online, but this latest case has shown not only sloppy security but also how much data you're giving up with some apps.

In total, the database contained more than 10.7 million email addresses and 374.6 million phone numbers, suggesting the app accessed the contacts of its users and uploaded that information to its database.

Phone number, full name of the owner, device name and model, mobile network name, SMS number, screen resolution, user languages enabled, Android version, IMSI number (international mobile subscriber identity used for interconnection), IMEI number (a unique number given to every single mobile phone), emails associated with the phone, country of residence, links and the information associated with the social media profiles (birthdate, title, emails etc.) and photo (links to Google+, Facebook etc.), IP (if available), location details (long/lat). Other records included information from linked Google profiles including profile pictures, email addresses, dates of birth and genders. The bug, which has since been patched, allowed hackers to view your email address, account number, and even your phone's IMSI number ...

Google often warns users of the security risks that come with the use of a third-party keyboard, but AI.type touts on its website that user privacy is its "main concern" and that any entered text "stays encrypted and private".

AI.Type also uploaded users' contacts and their phone numbers into the exposed MongoDB database. We also found evidence that text entered on the keyboard does get recorded and stored by the company, though to what extent remains unclear.

"It is clear that data is valuable and everyone wants access to it for different reasons", he said. The company uses this to sell advertising, ZDnet reports.

"Theoretically, it is logical that anyone who has downloaded and installed the Ai.Type virtual keyboard on their phone has had all of their phone data exposed publicly online", Bob Diachenko of Kromtech told ZDNet.

'It raises the question once again if it is really worth it for consumers to submit their data in exchange for free or discounted products or services that gain full access to their devices'.

Zack Whittaker can be reached securely on Signal and WhatsApp at 646-755-8849, and his PGP fingerprint for email is: 4D0E 92F2 E36A EC51 DAAE 5D97 CB8C 15FA EB6C EEA5.