Mike Wuerthele
Conflicting accounts have emerged about a security breach involving the ai.type add-on keyboard for iOS and Android, with researchers claiming that 31 million people's data has been compromised — with a user's contacts also potentially included in the leak.
The Kromtech Security Center discovered on Tuesday that a MongoDB database used to collect data on ai.type keyboard users was misconfigured, and was available on the internet. Contained in the database is reportedly "data and details of 31,293,959 users" of the ai.type keyboard.
According to the researchers, user information includes phone numbers, full names, device name and model, mobile network name, SMS number, screen resolution, user languages enabled, Android version, IMSI number, IMEI number, emails associated with the phone, country of residence, links and the information associated with the social media profiles including birthdates and photos, IP, and location details.
Making the situation worse, it appears that 6.4 million records contained data gleaned from a user's Contacts, including names and phone numbers, leading to a total of 373 million records in the briefly publicly available database.
Other information in the database includes average messages per day, words per message, and ages of users.
"It is logical that anyone who has downloaded and installed the Ai.Type virtual keyboard on their phone has had all of their phone data exposed publicly online. This presents a real danger for cyber criminals who could commit fraud or scams using such detailed information about the user," said Kromtech's Head of Communications Bob Diachenko. "It raises the question once again if it is really worth it for consumers to submit their data in exchange for free or discounted products or services that gain full access to their devices."
Upon installation, ai.type asks for "Full Access." If permission is granted, the add-on keyboard can transmit absolutely anything typed through the keyboard to the developer. However, the company claims that it will never use personal information it collects — but if Kromtech is correct, the company appears to have stored a fair amount of information from the user's device anyhow.
Ai.type tells a different story about the data contained in the database — but does not deny that a database was available publicly for a period of time.
Speaking to the BBC, Chief Executive Eitan Fitusi says that the stolen information was a "secondary database." Additionally, he claims that the IMEI information was never collected by the company, user data collected only involves what ads are clicked by the user, and that the location data wasn't accurate.
Fitusi claims that the database has been secured since the breach.
The company that found the database, Kromtech, is the company that develops and sells the poorly regarded MacKeeper suite of applications.
Malcolm Owen
Wesley Hilliard
William Gallagher
Christine McKee
40 Comments
Well, I'm glad I'm not using this Keyboard. This crap is exactly why Apple forces their own keyboard when you go to type in a Password. Because at least that Data is safe. Why would you collect all this Data if you were not using it? Just for the hell of it? How are you making money if the Keyboard is free? Makes no sense.
If I read the article correctly, the mention of "31 million iPhone users" is misleading. I expect that vast majority of those users are, in fact, Android owners. I doubt there are 31 million iPhone numbers who have tried any alternative keyboards to date.
I do like the (well deserved) dig at Kromtech in the last line, however.
People whine about Apple’s “walled garden.” I prefer to stay in the garden and avoid most of these issues. And when problems do arise, they get fixed quickly. Enjoy your cool hacks.