According to a report from Motherboard which cited the findings of an anonymous security researcher, the app contained unsecured credentials that allowed access to its backend
Celebrity shout-out app, Cameo, has been exposing highly sensitive user data including passwords, email addresses, and even supposedly private videos commissioned through the platform.
According to a report from Motherboard who cited the findings of an anonymous security researcher, the Cameo app, which lets users pay for short shout-out videos from celebrities, contained unsecured credentials that allowed one to access its backend.
Those credentials – available to anyone who opened the Android app up and viewed its code – gave the researcher access Amazon S3 buckets, online databases operated by Cameo, that contained passwords hashed and encrypted using a fairly weak process called Salt, phone numbers, email addresses, and names.
Additionally, the researcher also found that videos recorded by celebrity members of Cameo that were meant to be private were also easily accessible.
In a test conducted by Motherboard which commissioned celebrity voice actor and comedian Gilbert Gottfried to record a video saying ‘cybersecurity is becoming more and more relevant today, what with the apps, and viruses and hackers’ the outlet was able to write script that retrieved allegedly private videos from the platform.
According to Motherboard, the ability to hoover those videos stems from a flaw in the review system which lets one reconstruct a specific URL that is sent to users and allows them to watch their video.
Cameo reportedly instructs celebrities participating in its service to send their video URL’s to a bot on the messaging app Telegram which then relays the message to the end-user.
According to Motherboard, the credentials inside Cameo’s app appear to have been accessible for about two years.
‘Cameo recently learned of a vulnerability in one of our databases from a third party security data researcher potentially affecting a limited amount of account holder data,’ Cameo told Motherboard in response to the findings.
‘Our team promptly fixed the issue. After thoroughly investigating the matter, we are currently not aware of any evidence indicating that anyone else other than the security researcher knew of or utilized the vulnerability. The trust of our community and data security are top priorities for Cameo. We are continuing to actively investigate the issue and continuously investing in data security.’
This article is for information purposes only.
Please remember that financial investments may rise or fall and past performance does not guarantee future performance in respect of income or capital growth; you may not get back the amount you invested.
There is no obligation to purchase anything but, if you decide to do so, you are strongly advised to consult a professional adviser before making any investment decisions.