Cameo, a popular app that allows users to pay celebrities to record short shout-out videos, is riddled with security flaws that the service's customers and famous users are probably unaware of.
Vice reports that Cameo has suffered a massive leak of user data due to a "misconfiguration" of its app. The leaked information included customer emails and messages within the app. Hashed and salted passwords and phone numbers were also allegedly exposed.
On the celebrity business side of Cameo, a researcher told Vice that he discovered that Cameo's videos, which are supposed to be private, can actually be found and downloaded by anyone on the app.
Motherboard, the technology arm of Vice, even wrote code that could identify private videos shot by rapper Snoop Dogg and comedian Michael Rapaport. All of these "private" videos were actually accessible.
The cameo transaction appears to have been designed to be as simple as possible, relying on basic transmittable links to fulfill the request. Anyone with a link to a pending cameo video could modify what the selected celebrity was being asked to speak about or cancel the request.
Motherboard editor-in-chief Jason Koebler requested a cameo video from comedian Gilbert Gottfried to validate his findings; Koebler set the video to private, but Motherboard staff writers were able to view and download Gottfried's message (which was intentionally about cybersecurity).
Even more sketchy. Cameo publishes its privacy policy on Google Docs, and Cameo's creators use a messaging app called Telegram to send finished videos.
According to researchers who spoke to Vice, the app's code contains credentials that allow anyone to access Cameo's back-end infrastructure and access user data; Motherboard believes these credentials may have been publicly available for two years. Motherboard believes that these credentials may have been publicly available for two years.
Cameo has since acknowledged the data security scare. The company said it "promptly fixed the problem" and found no evidence that anyone other than the researchers had taken advantage of the vulnerability.
To be safe, anyone with a Cameo account should change their password; just because Cameo hashes and saltifies your password (i.e., stores it in encrypted form on its servers) does not mean your credentials are secure.
Given the compromised infrastructure described above, it is certainly possible that the company is using an outdated or weak password hashing algorithm.
As for the question about private videos, Cameo is clear about its policy: the reason Cameo is classified as "private" relates to the fact that certain cameos are not posted on the Cameo platform (meaning the talent's profile or other pages).
"Cameos were designed to allow people to give and share personalized videos from their favorite talent among friends and family. Both public and private cameos are intended to be shared socially.
Comments