JusTalk, a popular mobile video calling and messaging app with 20 million global users, exposed a massive database of supposedly private messages to the public Internet for months.
According to security researcher Anurag Sen, who discovered the open database, the messages were stored unencrypted, and the database itself was not locked behind a password.
The open database is a logging database the company, Ningbo Jus Internet Technology, uses to keep track of app bugs and errors. It also houses hundreds of gigabytes of data and is hosted on a Huawei cloud server in China. Sen said anyone can access the data using a web browser if they have the right IP address.
Data collected from Shodan, a search engine for exposed devices and databases, shows that the company continued to use the database until it was first exposed in early January (at least).
Because the database is, essentially, a smorgasbord of every data the company collects—chat logs, video logs, granular location data, data of child users of their JusTalk Kids app, records from their JusTalk second phone number—it’s complicated to put a number on affected victims of this breach. However, it is prudent to assume everyone using Ningbo Jus’s products is affected.
