Whistleblowing app Blind admits security lapse exposed messaging data
Blind, an anonymous whistleblowing app said to have users at Apple and other large tech corporations, has acknowledged that it recently left one of its servers without a password, exposing identifiable account data.
The gap was discovered by a security researcher, who alerted the company to the problem, according to TechCrunch. Blind only pulled down the offending database, however, after TechCrunch followed up on the issue. The app's developers started emailing customers this Thursday.
"While developing an internal tool to improve our service for our users, we became aware of an error that exposed user data," the email reads.
The exposure affects people who signed up or logged in between Nov. 1 and Dec. 19, and Blind executive Kyum Kim claimed that there is "no evidence" so far of data being stolen or misused. TechCrunch noted that the database offered "a real-time stream of user logins, user posts, comments and other interactions, allowing anyone to read private comments and posts," and that it was possible to see user access tokens, as well as the email addresses of people who hadn't yet posted.
Passwords were allegedly found stored as an easily-cracked MD5 hash, but Kim denied this, insisting that the company uses methods such as salted hash and SHA2.
Blind users have been credited with exposing several corporate scandals, including sexual harassment at Uber. The ridesharing giant resorted to blocking the app on its internal network. Aside from Apple, some other companies with Blind users include Facebook, Google, Microsoft, and Twitter.
Outlets for anonymous whistleblowing have become extremely important in the modern tech landscape, as corporations have sometimes proven eager to punish or silence people who bring immoral or illegal actions to light.