Popsugar’s Twinning app is a photo-matching tool which compares users’ uploaded photos with celebrities photos and gives a twinning percentage for top five look-alikes. The results can also be shared on Facebook and Twitter. It is to be noted that hundreds of users’ uploaded photos were found to be leaked in Google’s search results even before the users shared it on Facebook or Twitter.
The users who uploaded their photos or selfies to the Twinning app were found to be easily accessible. The uploaded photos are stored in a storage bucket and the web address of the storage bucket is found in the code of the Twinning app’s website thereby exposing users’ uploaded photos.
All the photos and selfies uploaded on the Popsugar’s Twinning app were stored on a storage bucket hosted by Amazon Web Services. The web address of the storage bucket could be found in the code of the Twinning app’s website.
To verify this,
Researchers noted the storage bucket to be locked down in some time. However, Mike Patnode, Vice President of engineering at Popsugar confirmed in an email to Techcrunch that ‘the bucket permissions weren't set up correctly.”
Threat actors often take advantage of viral mobile app trends to create malicious apps which steal user data or inject malware into their devices. In May 2018, a set of photo editor apps were found to be hiding malware. Such cases are unfortunately quite frequent.
In order to stay secure, it is always recommended to be cautious when using free apps such as quiz, games, photo editor tool etc. as to what information you provide and what access permissions you grant to such apps.