A Christian faith app that has been downloaded over 1 million times has been leaking years of private user data, according to researchers from cybersecurity firm vpnMentor.
VpnMentor’s research team noted the app “has proven incredibly popular since launching in 2016.”
However, according to the researchers, the app’s developers “failed to properly secure vast amounts of data collected from the app,” leaving millions of users to be potentially exposed to fraud and online attacks.
Researchers discovered four misconfigured Amazon Web Services (AWS) S3 buckets and Pray.com was identified as their owner.
“AWS S3 buckets are a popular cloud storage solution for many apps and websites, but users must set their own security protocols,” vpnMentor wrote.
Pray.com had protected some files by setting them as private, however, many files were easily accessible.
“Pray.com’s developers overlooked basic security protocols on the S3 buckets, leaving many of the files stored within them publicly accessible to anyone with access to the bucket’s URL (easily obtained),” vpnMentor wrote.
“We have no evidence — and no way of knowing — whether the data in our reports has been accessed or leaked by anyone else; only the database owner can know that.”
VpnMentor said it tries to prevent unsafe internet use by conducting web mapping projects like the Pray.com report.
“We do our best to prevent this from happening by reaching out to the companies and ensuring they secure their leaking database as soon as possible.”
When the research team reached out to Pray.com, they said they did not receive a reply until five weeks after their initial attempt to contact the organization. Pray.com’s CEO replied with one word: “Unsubscribe.”
“We don’t know if anyone has actually accessed data and downloaded it,” Ran Locar of vpnMentor’s research team told Fox News.
According to Locar, the most dangerous aspect of this security breach is that “most of the people affected don’t even know … they didn’t agree to have their data exposed.”
The researcher said the data sometimes contains PIN numbers, credit card numbers and other sensitive data.
“[This is] a very strong privacy lesson,” Locar said. “If an app is asking for permission, it will grab the data and the data is no longer in your control.”
VpnMentor added in a research note that it is important to review “the permissions [an app is] requesting and find out for what purpose they’re needed.”
“If an app asks for access that doesn’t make sense, you can refuse,” the researchers wrote.
The Western Journal reached out to Pray.com for comment but did not receive a response before publication.
Truth and Accuracy
We are committed to truth and accuracy in all of our journalism. Read our editorial standards.