Massage app exposes users – Naked Security


A popular massage-booking app has spilled the beans on 309,000 customer profiles, including comments from their masseurs or masseuses on how creepy their customers are.

The app’s wide-open, no-password-required database was discovered by researcher Oliver Hough, who tipped off TechCrunch.

Hough said in a tweet on Tuesday that the breach was caused by unimplemented security that should have been easy-peasy, and that the failing could lead to “some serious blackmail.”

TechCrunch reports that Urban left the database for a Google-hosted Elasticsearch instance – that’s an enterprise search tool – online without a password, “allowing anyone to read hundreds of thousands of customer and staff records.”

Anyone who knew where to look could access, edit or delete the database.

The makers of the app, which was previously known as Urban Massage but is now going by simply “Urban,” confirmed the breach on Tuesday. In its FAQ, Urban said that customers’ names, email addresses and phone numbers were exposed, as well as, potentially, their postcodes if they placed a booking on the platform. Urban says it’s going to contact those whose information it thinks was exposed.