True Social App Data Breach: Privacy Concerns Rise

True markets itself as a social networking application focused on “protecting your privacy.” However, a security vulnerability resulted in one of its servers being openly accessible online, exposing private user information to public view.

The application was introduced in 2017 by Hello Mobile, a relatively unknown mobile virtual network operator that utilizes T-Mobile’s network infrastructure. True’s official website indicates it has secured $14 million in initial funding and reported exceeding half a million users shortly following its launch.

A control panel for one of the app’s databases was accessible on the internet without password protection, granting anyone the ability to view, examine, and search the database – including sensitive user data.

Mossab Hussein, the chief security officer at the Dubai-based cybersecurity company SpiderSilk, discovered the exposed control panel and shared the details with TechCrunch. Data from BinaryEdge, a search engine specializing in identifying exposed databases and devices, confirmed the vulnerability existed since at least the beginning of September.

Following notification, True took the control panel offline.

Bret Cox, the chief executive of True, acknowledged the security issue but refrained from answering specific inquiries, such as whether the company intended to notify users about the breach or to report the incident to regulatory bodies as required by state data breach notification regulations.

The control panel contained daily server logs dating back to February, encompassing users’ registered email addresses or phone numbers, the content of private communications and posts, and users’ most recent geolocation data, potentially revealing their current or past locations. It also exposed the email and phone contacts uploaded by users, which True employs to identify connections with existing friends within the application.

Critically, none of this data was encrypted.

TechCrunch verified the authenticity of the data by creating a trial account and requesting Hussein to provide information exclusive to that account, such as the phone number used during registration.

Hussein explained that the control panel was also revealing account access tokens, which could be exploited to compromise and take control of any user’s account. While appearing as a random sequence of characters, these tokens maintain user login status without requiring repeated credential entry. Utilizing the test account, Hussein successfully retrieved the access token from the control panel and used it to access the account and publish a message.

The dashboard also made available one-time login codes, which True sends to a user’s registered email address or phone number in lieu of storing passwords.

True states that deleting an account “will immediately remove all of your content from our servers,” but deleting the test account did not eliminate private messages, posts, and photos, which remained searchable through the control panel.

“This situation serves as another illustration of how errors can occur within any organization, even those prioritizing privacy,” Hussein stated to TechCrunch. “It underscores the necessity of not only developing secure applications and websites but also implementing robust data security protocols within internal processes.”

A representative from Hello Mobile was unavailable for comment.

Hussein also identified an exposed database control panel belonging to Blind, an “anonymous social network” frequently used by employees to publicly report misconduct and wrongdoing within their companies.

You can contact the author with tips securely using Signal and WhatsApp to: +1 646-755-8849.