Pray.com app exposes millions of users in massive data leak

Researchers at vpnMentor have published their findings after uncovering massive flaws in a popular faith app. The app in question is Pray.com, used by members of the Christian faith to pray and engage in other devotional activities. A research team led by vpnMentor’s Noam Rotem and Ran Locar found that the California-based developers misconfigured their AWS servers. What results from this is a backdoor that allows access to 262GB of data containing personal information of at least 1 million users across Android, iOS, and various browser apps. AWS misconfigurations have been the culprit in other data leaks from other organizations in the past.

Researchers believe that the maximum number of users exposed could number in the tens of millions. With some of the data, including emails linked to .mil and .gov domains, there could be far-reaching ramifications. vpnMentor uncovered the issue as a part of a larger web mapping project. Researchers found the unsecured servers via port scanning specific IP blocks and testing them for exploits. When analyzed, Pray.com was found to have easily accessible S3 buckets due to a lack of encryption and basic security practices.

Since the team at vpnMentor are white hat hackers, they immediately set out to rectify the situation by contacting Pray.com. What happened next shows blatant negligence on the part of the app’s parent company:

After our first two attempts at contacting Pray.com failed to elicit a reply, we contacted AWS directly to notify them. AWS confirmed they had informed Pray.com of the breach a few days later, but there remains no evidence that the company has attempted to resolve the issue.

Five weeks after our initial attempt to contact Pray.com, the buckets remained unsecured, but the contacts files were removed. On November 17th, after three attempts by us to reach out to Pray.com, we finally received an answer from Pray.com’s CEO. His email contained one word: “Unsubscribe.”

As vpnMentor points out in their research post, Pray.com’s headquarters’ location exposes them to specific legal action. California has stringent privacy laws, specifically the California Consumer Privacy Act. With the owners of Pray.com continuing to refuse advice from cybersecurity experts, they can face several actions such as audits and fines.

If you are a user of Pray.com’s services, the smartest thing you can do is find another app to practice your faith with, at least until it tightens its security. The individuals in charge of this app appear to have been negligent by not heeding the warnings of well-intentioned security experts. Meanwhile, they may have exposed their users to identity theft or phishing attacks.

Derek Kortepeter

Derek Kortepeter is a graduate of UCLA and tech journalist that is committed to creating an informed society with regards to Information Security. Kortepeter specializes in areas such as penetration testing, cryptography, cyber warfare, and governmental InfoSec policy.

Share
Published by
Derek Kortepeter

Recent Posts

SonicWall warns users about zero-day vulnerabilities

SonicWall is warning of a coordinated zero-day attack on some of its remote access products.…

18 hours ago

Why Salesforce DevOps teams need version control

Version control is an essential part of software development. This is true especially for Salesforce…

23 hours ago

Irritating advances in technology and why we love to hate them

Technology makes lives much easier. Until it doesn’t. Here’s a look at some advances in…

4 days ago

Broken hearts: Interpol warns of investment fraud on dating apps

Forget catfishing: Investment fraud is the new scam in town for dating apps and their…

4 days ago

Microsoft Yammer content monitoring using keywords and match patterns

For many IT admins, one of their duties is to make sure no problematic content…

5 days ago

Software bug causes deletion of thousands of UK arrest records

Thousands of arrests records in the UK have been accidentally deleted from the British Police…

5 days ago