The Christian faith app Pray.com has leaked private data for up to 10 million people, according to researchers.
The app offers “daily prayer and Bible stories to inspire, educate and help you sleep” on a subscription basis. Subscriptions run anywhere from $50 to $120. It offers a host of audio content, including services from televangelists like Joel Osteen, and religious recordings using celebrity voices like Kristin Bell and James Earl Jones.
It has been downloaded by more than 1 million people on Google Play, and ranks as the #24 lifestyle app in the Apple App store.
vpnMentor analysts found several open, publicly accessible cloud databases (Amazon Web Services S3 buckets, in this case) belonging to Pray.com, containing 1.9 million files – about 262 GB worth of data. Most of this was internal information, but one of the buckets contained concerning data, the researchers said. 80,000 files contained various personal identifiable information (PII) for tens of millions of people – and not just from Pray.com users.
These included photos uploaded by the app’s users (profile photos and avatars for Pray.com’s private “Communities” social network), including those of minors. And, the files included CSV files from churches that use the app to communicate with their congregations, the investigation found. These files contained lists of the church’s attendees, with information for each churchgoer that included names, home and email addresses, phone numbers and marital status.
The app also says that it facilitates church donations – users can donate directly via the app to any church that is part of the Pray.com ecosystem. The donations were also logged in the bucket, along with the donation amount, the donor’s PII, and Pray.com’s fee for processing the donation. However, missing were any records of donations being forwarded to churches.
“The long lists of donations processed by Pray.com would give cybercriminals invaluable insight into the finances of app users and an opportunity to contact them appearing as the app, querying a previous donation,” researchers said.
Most damningly, the cloud database included whole phone books from users. Whenever a person joins the Communities social network, the app asks if it can invite friends to join. If a user says yes, the app uploads the user’s entire ‘phonebook’ from their device, containing all contacts and associated information.
Researchers said that many of these phonebooks contained hundreds of individual contacts, each one revealing that person’s PII data, including names, phone numbers, email, home and business addresses, and other details, like company names and family ties. Some of the entries included login information for private accounts.
“The people whose data Pray.com had stored in these phonebook files were not app users,” according to vpnMentor’s analysis this week. “They were simply people whose contact details had been saved on a Pray.com user’s device. In total, we believe Pray.com stored up to 10 million peoples’ private data without their direct permission – and without its users realizing they were allowing it to happen.”
Cloud Complexity
Interestingly, a little over 80,000 files were made private, only accessible to people with the right security permissions. However, these files were being exposed through a second Amazon service, vpnMentor found, demonstrating the complexity that cloud configurations can entail.
“Through further investigation, we learned that Pray.com had protected some files, setting them as private on the buckets to limit access,” they explained. “However, at the same time, Pray.com had integrated its S3 buckets with another AWS service, the AWS CloudFront content delivery network (CDN). Cloudfront allows app developers to cache content on proxy servers hosted by AWS around the world – and closer to an app’s users – rather than load those files from the app’s servers. As a result, any files on the S3 buckets could be indirectly viewed and accessed through the CDN, regardless of their individual security settings.”
They added, “Pray.com’s developers accidentally created a backdoor that gave complete access to all the files they had tried to protect.”
Chris DeRamus, vice president of technology for the Cloud Security Practice at Rapid7, noted that companies need to be aware that the self-service nature of cloud opens them up to increased risk.
“Unprotected S3 buckets and databases are a common occurrence, and one that attackers continue to exploit. In fact, out of 196 breaches caused by cloud misconfigurations in 2018 and 2019, S3 bucket misconfigurations accounted for 16 percent of those breaches,” he said via email. “Organizations should take the appropriate security measures, such as security automation, to ensure that data is protected at all times. If risk is not considered and addressed initially, organizations can face fines, legal fees, and ultimately their viability.”
The database was discovered on Oct. 6, but it wasn’t made private despite multiple attempts to contact Pray.com about the problem, according to vpnMentor. After the researchers contacted Amazon directly, the contact files were removed from the open bucket on Nov. 17.
While it’s unknown how long the files were exposed, some of the data dated back to 2016, researchers said.
“By not protecting its users’ data – while also aggressively harvesting the data of their friends and family – Pray.com has exposed millions of people to various dangers [like phishing, identity theft and account takeover],” according to vpnMentor. “The implications for the app’s users, and the general public, should not be understated.”