Not surprisingly, the kind of people who avoid vaccines aren't particularly good at preventive cybersecurity either.
As reported by the Daily point"Unjected" -- a dating site specifically for people who aren't vaccinated against COVID-19 -- has failed to take basic precautions to protect users' privacy, leave sensitive information open, and potentially allow anyone to visit the site -to become an administrator.
The Unjected site was set up so that the admin dashboard is fully accessible to anyone who knew how to look for it. Through this dashboard, an administrator can access user information for each member of the site, including name, date of birth, email address, and (if provided) home address.
The configuration error was discovered by a security researcher named GeopJr, who confirmed the vulnerability to the Daily point by editing live posts on the site. GeopJr apparently noticed that the site was published live to the web with "debugging mode" enabled - a special set of features that software developers can use while working on the app and never come by default in an application that has done so should be activated.
Using these features, the researcher could make almost any change to the site, including adding or removing pages, offering free subscriptions to paid services, or even deleting the entire database of post backups. The site is currently believed to have around 3,500 users, all of whose data could be accessed through the admin functions.
Although the user base is small, Unjected seems to have big ambitions to build connections between the unvaccinated community. In addition to providing dating services, Unjected also offers a “Fertility” section where users can offer their semen, eggs or breast milk for donation. Another section of the site also allows users to sign up for a "blood bank" by providing their location and blood type. Both the blood bank and fertility services are labeled to help users find "mRNA-free" donors -- a reference to the mRNA molecules used in Pfizer's and Moderna's COVID-19 vaccines.
The Unjected website is now one of the main portals for the project after it was the Unjected app booted from the Apple App Store in August 2021 for violating Apple's COVID-19 content guidelines. However, Android users can still download the app if they wish: it is currently still listed in the Google Play Store, where it has more than 10,000 downloads and an average rating of 2.5 stars.
Source link https://vmvirtualmachine.com/anti-vax-dating-site-exposed-data-of-3500-users-through-debug-mode-errors/?feed_id=64437&_unique_id=62df98ddefdd7
No comments:
Post a Comment