Indian social media pop-up app slippery It left an internal database containing users’ personal information, including data on children who went to school, publicly exposed to the Internet for months.
Since at least December 11, a database containing the full names, mobile phone numbers, dates of birth and profile photos of Slick users has been kept online without a password.
Bangalore-based Slick was launched in November 2022 by former Unacademy executive Archit Nanda after ditching cryptocurrency and shutting down his previous startup, CoinMint. His latest adventure, Slick, is available on both Android and iOS and works similarly to Gas, a compliment-based app that is popular in the United States. The app also allows school and college students to talk to and about their friends anonymously.
security researcher anurag sen found the exposed database and asked TechCrunch for help in reporting the incident to the social media startup. Slick secured the database shortly after being contacted by TechCrunch on Friday.
Due to a misconfiguration, anyone familiar with the database’s IP address could access the database, which contained entries for more than 153,000 users at the time it was secured. TechCrunch also discovered that the database was accessible via an easy-to-guess subdomain on Slick’s main website.
The researcher also briefed India’s computer emergency response team, known as CERT-In, the country’s lead agency for handling cybersecurity issues.
Nanda confirmed to TechCrunch that Slick fixed the exposure. It is not known if anyone other than Sen found the database before it was secured.
Slick attracted a lot of younger users in India soon after its debut last year. Earlier this month, Nanda took to Twitter to announce that the application exceeded 100,000 downloads.
