Follow us

Adult Sites Blocking App had a data breach

The app called BlockerX operated non protected database and leaked alarming data.

Updated: September 13, 2021 By Jeremiah Fowler

Hacked adult sites blocking app

Image source - Shutterstock

On August 2nd, I discovered a non-password-protected database containing a large number of publicly exposed records. Among discovered data are user's personal data, links to Amazon AWS with screenshots, quotes, and other unprotected, at the same time, potentially critical data.

 

What kind of data is being exposed?

Upon further investigation, the exposed records were references to a Adult Sites Blocking App called BlockerX.

The exposed database contained

  • 121,624 total records and
  • one folder named “users” with 72,000 records.

Details of the discovery:

  • Records that expose user names, some email addresses, and encrypted user data.
  • Amazon AWS bucket names and addresses where user attachments and screenshots are uploaded.
  • I saw several posts about disturbing thoughts, self-harm, rape, and murder.
  • The database was set to open and visible in any browser (publicly accessible), and anyone could edit, download, or even delete data without administrative credentials.

Some of the user names appeared to be formatted in first and last names, and others were simply email addresses. These may have been added as a "username" by mistake, but they could potentially expose the real identity of the users.

The user records contained a 20 character encrypted “User ID” that we can only assume is the real name and identity of the individual and used for internal records. Decrypting this could potentially put these users at risk and publicly expose their real identities.

There were links to Amazon AWS files such as BlockerX resource documents to help users, but I also saw user uploads like screenshots. The screenshots appeared to be in chronological order by date and then numbered. Hypothetically this format would be easy to guess and go through each and every screenshot looking for sensitive data.

The small sampling of AWS files I reviewed contained users’ achievements, motivational quotes, and some provocative images of women that were not pornographic but questionable, given the nature of the service. These images could also be a risk if the user uploaded any personally identifiable images.

Example of exposed data:

Example of how the IDs, User IDs, and Usernames appeared in the dataset

There were many disturbing messages such as this where users expressed self-harm or suicidal thoughts.

Extraction of user’s messages with disturbing content

Example of the Amazon AWS attachments that were also public and non-password-protected. This shows a user's current timeline of not watching pornography.

Example of data linked from the database to other unprotected Amazon AWS Bucket


How is this dangerous for users?

The real danger here would be cybercriminals identifying BlockerX users and trying to blackmail vulnerable individuals for financial gain.

Usernames are a puzzle piece that cybercriminals can use to obtain more information or socially engineer their victims. In this instance, an attacker would have a list of valid usernames. Next, they could try and use a brute force attack on the accounts using common passwords.

Many people reuse the same username on multiple accounts and platforms. The exposure of a username may seem low-risk, but it can create a snowball effect once an account is breached.

It is a well-known fact that not everyone uses a unique password.

A study in 2019 found that 72 percent of people reuse passwords for their personal accounts. This would make credential stuffing an easy method to access accounts.

Criminals could cross-reference usernames to passwords previously exposed in older known data breaches. There would be a very high likelihood that users would have the same passwords connected to the same usernames. Once a criminal had access to the account, they could attempt to extort the account holder or other BlockerX users.


What are the consequences for legal entities?

I immediately sent a responsible disclosure notice to BlockerX and their parent company Atmana Innovations.

Access to the data was restricted in a matter of hours, and I received a reply thanking me for the notification and bringing the misconfiguration to their attention.

Porn addiction is a compulsive behavior that can cause real harm in the lives of people who struggle with this problem. It can harm nearly every aspect of their lives, including relationships, work, and their own well-being or mental health.

Apps and services are valuable tools to help restrict adult content and help limit compulsive behavior.

With technology also comes additional risks that users may not think about when providing their personal data, payment information, or sharing potentially sensitive content.

According to a report published by Webroot:

  • About 200,000 Americans are classified as “porn addicts.”
  • 40 million American people regularly visit porn sites.
  • 35% of all internet downloads are related to pornography.
  • 34% of internet users have experienced unwanted exposure to pornographic content through pop-up ads, misdirected links, or emails.
  • One-third of porn viewers are women.

BlockerX also has an "accountability partner" feature that allows users to support each other. Reading through the messages sent or posted by users, it was clear to see the real struggle and pain that many feel with their addictions or urges to pornography.

Among the messages of support and encouragement, I also saw some that were extremely disturbing about self-harm, rape, and murder. It is unclear how BlockerX deals with this type of content or the individuals who make these statements.

If you or someone you know is suicidal, please reach out to a crisis line or a suicide hotline and seek help.

According to their website, BlockerX is a subscription service and app that uses web request APIs and keywords to block/filter adult content in real-time.

  • They claim to have over 1 million users.
  • The cost is $7.50 per month.
  • Lifetime access for $180.
  • They appear to have customers all over the world.
  • Offer the app in 63 languages.

We are not implying any wrongdoing by BlockerX or their parent company Atmana Innovations (formerly FunSwitch Technologies), and they acted fast and professionally to secure the exposed records in a matter of hours.

We are highlighting this discovery as a real-world example of how data exposures happen and the risks they pose.


What are mitigation steps?

Cybersecurity awareness and best practices are essential first steps to reducing risks.

There is a set of common best practices that companies should follow to ensure minimum base level protection for their own infrastructure also their user’s personal data.

  • Apply best practices and standards for secure coding in your organization.
  • Developers should follow a secure-by-default principle. Multi-factor authentication and a strong password policy apply right after registration.
  • Users have to take responsibility for using VPN-protected connections and obfuscated login data for such applications.

Conclusion

This discovery highlights how important it is to protect the data of real people who are trying to better their mental health and struggling with addiction.

It is a wake-up call to any company or organization that collects or stores information on its users.

It should be noted that BlockerX did encrypt the real names of users in the records, but as technology changes rapidly, what might be a secure algorithm today could be vulnerable tomorrow and put users at  risk.

Tags: 
Leaks
Author
Jeremiah Fowler
Jeremiah Fowler is a cyber security researcher and the co-founder of Security Discovery and has spent over a decade in the tech industry.

Write a review

click to select