Emerging Indian social media app Slick left an internal database of users’ personal information, including data of school children, publicly exposed to the internet for months.
Since at least December 11, a database containing the full names, cell phone numbers, dates of birth and profile pictures of Slick users has been left online without passwords.
Bengaluru-based Slick was launched in November 2022 by former Unacademy executive Archit Nanda after switching from crypto and shutting down his previous startup CoinMint. His latest venture, Slick, is available on Android and iOS and works similarly to Gas, a compliment-based app that’s popular in the US. The app also allows school and college students to talk with and about their friends anonymously.
security researcher Anurag Sen found the exposed database and asked TechCrunch for help in reporting the incident to the social media startup. Slick secured the database shortly after TechCrunch contacted Friday.
Due to misconfiguration, anyone who knew the database’s IP address could access the database, which contained entries from more than 153,000 users at the time it was secured. TechCrunch also discovered that the database was accessed through an easy-to-guess subdomain on Slick’s main website.
The researcher also briefed India’s Computer Emergency Response Team, known as CERT-In, the country’s lead agency for handling cybersecurity issues.
Nanda confirmed to TechCrunch that Slick fixed the exposure. It is unknown if anyone other than Sen found the database before it was secured.
Slick attracted many young users to India shortly after its debut last year. Earlier this month, Nanda took to Twitter to announce that the application has exceeded 100,000 downloads.
