U.S. Army members are being affected by a security flaw… again. This time, the incident is related to Untappd, an app to share beer photos and check-in bar visits. A group of researchers used publicly accessible data in the app to find the identity of users. This investigation did not require any hacking, so it is considered a serious error from the developers.
Bellingcat experts, self-determined as a collective of independent researchers and journalists, were able to determine where they live, where they work and where multiple Untappd users will drink beer, also discovering that many are members of the U.S. Army. Investigators found photos of military IDs, documents and equipment completely exposed.
This is not the first time an app has unintentionally exposes too much information. Previously, researchers found that Strava, a route tracking app for cyclists, also posed a safety risk to its users. In the case of Untappd, users are invited to register in various places, record the beers they have tasted and share their experience with other alcohol enthusiasts.
Although this seems like a harmless activity, the investigation demonstrates a risky scenario: “Using this data we were able to trace the identity of a drone pilot, in addition to a list of the military bases you visited recently. We also found a naval officer who visited the Pentagon facility several times, as well as an intelligence officer.” According to the report, this is achieved by cross-referencing the records in Untappd with other platforms, something very easy for anyone with the necessary knowledge.
In other words, any threat actor could compromise the privacy of Untappd users because of the way the app manages publicly accessible data, which could lead to disastrous scenarios. The company was questioned about it, but has not been officially pronounced so far.
While this is an undesirable situation, experts note that it would be inaccurate to claim that this happens due to malicious practices of the company. By analyzing Untappd, the researchers concluded that the app works as the developer company expects; the point is that users have also contributed, posting photos of fighter jets or military equipment, making it easier to identify in this investigation.
One way to mitigate these kinds of risks is to consider how necessary it is for users to register their location on online platforms, because sometimes this information is all hackers need to start an attack. Disabling GPS from mobile devices when not needed is a good measure to limit these activities.
He is a well-known expert in mobile security and malware analysis. He studied Computer Science at NYU and started working as a cyber security analyst in 2003. He is actively working as an anti-malware expert. He also worked for security companies like Kaspersky Lab. His everyday job includes researching about new malware and cyber security incidents. Also he has deep level of knowledge in mobile security and mobile vulnerabilities.