For months, a newly popular social media app in India, Slick, revealed a database of user information that included information from youngsters as young as school age.
The database of Slick users’ names, phone numbers, birthdays, and profile images has been accessible online without a password since at least December 11.
Bengaluru-based Former Unacademy executive Archit Nanda established Slick in November 2022 after abandoning cryptocurrency and winding down his previous firm, CoinMint. His most recent product, Slick, is an Android and iOS app that functions in a way that’s analogous to Gas, a popular U.S. app that relies on the exchange of praises. Students in high school and college can use the app to have confidential conversations with and about their peers.
CloudDefense.ai security researcher Anurag Sen discovered the compromised information and reached out to TechCrunch for assistance in alerting the social media firm to the breach. Shortly after Friday’s contact from TechCrunch, Slick locked off the database.
A misconfiguration allowed anyone with knowledge of the database’s IP address access to its contents, which included information on more than 153,000 users. According to TechCrunch’s investigation, the database was accessible via a simple-to-guess subdomain on Slick’s main website.
The research also notified CERT-In, India’s primary organization for tackling cybersecurity threats, which was alerted by the researcher.
TechCrunch reported on Slick’s patch for the vulnerability, and Nanda verified it. We have no idea if anyone else but Sen stumbled onto the database before it was locked off.
Soon after its launch in India last year, Slick became popular among young people. Earlier this month, Nanda made a Twitter announcement that the app had reached 100,000 downloads.