Finding cloud databases with sensitive information left open to the internet has become par for the course these days – as a new exposure of millions of sensitive data points for the users of a golf app demonstrates.
Millions of golfer records from the Game Golf app, including GPS details from courses played, usernames and passwords, and even Facebook login data, were all exposed for anyone with an internet browser to see — a veritable hole-in-one for a cyberattacker looking to build profiles for potential victims, to be used in follow-on social-engineering attacks.
Security Discovery researcher Bob Diachenko recently ran across an Elastic database that was not password-protected and thus visible in any browser. Further inspection showed that it belongs to Game Golf, which is a family of apps developed by San Francisco-based Game Your Game Inc.
Game Golf comes as a free app, as a paid pro version with coaching tools and also bundled with a wearable. It’s a straightforward analyzer for those that like to hit the links – tracking courses played, GPS data for specific shots, various player stats and so on – plus there’s a messaging and community function, and an optional “caddy” feature.
It’s popular, too: It has 50,000+ installs on Google Play.
Unfortunately, Game Golf landed its users in a sand trap of privacy concerns by not securing the database: Security Discovery senior security researcher Jeremiah Fowler said that the bucket included all of the aforementioned analyzer information, plus profile data like usernames and hashed passwords, emails, gender, and Facebook IDs and authorization tokens.
In all, the exposure consisted of millions of records, including details on “134 million rounds of golf, 4.9 million user notifications and 19.2 million records in a folder called ‘activity feed,’” Fowler said.
The database also contained network information for the company: IP addresses, ports, pathways and storage info that “cybercriminals could exploit to access deeper into the network,” according to Fowler, writing in a post on Tuesday.
No word on whether malicious players took a swing at the data, as it were, but the sheer breadth of the information that the app gathers is concerning, Fowler noted.
“When combined, this data could theoretically create a more complete profile of the user and adding additional privacy concerns,” he wrote. “This incident once again raises this issue of how applications gather and store user data. A growing concern about tracking and metadata is that users do not see all of this information, how it is used, or what it is used for.”
Diachenko said that he sent notices to Game Golf several times about the exposure, but he said he didn’t get a reply. Nonetheless, the database was secured about two weeks after he sent his initial notification.
Fowler added that Game Your Game could find itself in the rough if it’s not dealing with the situation.
“It is unclear if this data incident was reported to users who may have been affected or the California Attorney General’s Office,” Fowler noted — California law requires a business to notify any California resident whose unencrypted personal information was potentially exposed.
Threatpost also reached out to Game Golf, and will update this post with any comment.
Want to know more about Identity Management and navigating the shift beyond passwords? Don’t miss our Threatpost webinar on May 29 at 2 p.m. ET. Join Threatpost editor Tom Spring and a panel of experts as they discuss how cloud, mobility and digital transformation are accelerating the adoption of new Identity Management solutions. Experts discuss the impact of millions of new digital devices (and things) requesting access to managed networks and the challenges that follow.