- The breach directly gave access to 22 million session records and 3.47 million usernames and email addresses or similar identifiers.
- The platform, which claims privacy and security as core tenets of its offerings, is often used for intimate or explicit conversations with strangers, making this security breach a critical issue.
- The leaks also contained sensitive metadata that can be linked to users, including device details, gender, payment information, and geolocation-specific information such as IP addresses, country, and language.
In what is considered a major cybersecurity breach, random video chat platform FTF Live may have unintentionally compromised millions of its users due to misconfiguration.
The breach effectively exposed the information of potentially up to 3.47 million identifiable users across 22 million sessions, through an openly accessible Kibana dashboard spotted by security researchers, which was then leaked to the company’s owners.
A significant security breach
The leak, which essentially allowed access to significant amounts of user metadata, leaves users of the platform exposed regarding their identity, location and payment information, making it possible to target vulnerable users, such as those from LGBTQ+ communities abroad, those who engage in sensitive or explicit conversations, and even minors.
The leak also exposed the service’s back-end logs, thanks to an insecure instance of Dozzle, a browser-based log viewer, which researchers point to as a secondary exposure for the platform, which not only provided an overview of how the entire service worked, but also exposed plain text passwords, session tokens, and even internal API requests.
The Cybernews researchers said, “The combination of public Kibana and public Dozzle creates a serious security risk,” while noting that they had previously attempted to contact the company about the seriousness of their findings.
While Cybernews attempted to contact the company behind the FTF Live platform, it was met with silence, even as it sought to navigate a complex ownership structure that it says raises transparency issues.
The since-deleted Android app was published under the name “Burhan LTD”, while the site’s privacy policy identifies the owner as Cyprus-based Cooy Ads Ltd, although its data controller, customer support and branding appear to be under the Pixover name.
The company’s lack of response further worries researchers, given the seriousness of the disclosure, the large number of documents potentially exposed, and the fact that the duration of public exposure has not yet been established.
“The leak turns what many people think is an anonymous, disposable interaction into a highly traceable data trail,” the researchers noted while pointing out that problems include account compromise, targeted scams or even harassment by motivated entities.
While it is important to note that no raw video chats appear to have been exposed, the breach allows users to be tracked, identified and monitored by a third party with access to this information, marking both a serious breach and an alarming level of inaction from the website’s owners, as noted by researchers who highlight it as a broader industry issue surrounding “anonymous” communications platforms.
Follow TechRadar on Google News And add us as your favorite source to get our news, reviews and expert opinions in your feeds.
