Another week, another leak. And this one was a sensitive one involving Aspire News App. The app was created by a U.S. non-profit, When Georgia Smiled. It was designed to appear to be a news app, but actually featured an emergency help function that would allow domestic abuses victims to send emergency distress messages to a trusted person. Those messages could be pre-programmed by the user so that the could be activated quickly and sent via voice recording.
According to researchers from vpnMentor, the developers had stored over 4,000 voice recordings on a misconfigured Amazon Web Services (AWS) S3 bucket that permitted files to be viewed and downloaded without any login required. They report that the bucket contained about 230 MB of recordings for an untold number of people, although they estimate that it may represent potentially 4,000 or more individuals. They state that the recordings might include details such as the user’s name, address, current location, and nature of the emergency. The messages might also include the name of the abuser.
vpnMentor reached out quickly to notify parties to get the data secured, including reaching out to Amazon and Zack Whittaker of TechCrunch. Within the day, the bucket was locked down.
PogoWasRight reached out to When Georgia Smiled for additional details, but received no response. They did not respond to TechCrunch‘s inquiries, either. As of the time of this posting, there does not seem to be any notice or alert on the app’s listing on the App Store or on Google Play. Nor is there any notification on the foundation’s website for the app.
So will anyone be notified of this leak? If so, how?