A webcam application installed by a huge number of clients left an uncovered database loaded with client information on the internet without a password. The Elasticsearch database belonged to Adorcam, an application for viewing and controlling a few webcam models including Zeeporte and Umino cameras. Security researcher Justin Paine found the data exposure and reached Adorcam, which secured the database. Adorcam application is specially built for the P2P IP camera series. The clients just need to enter the camera ID and password to watch real-time video from any bought IP camera on their cell phone and no complicated IP or router settings are required.
Paine said in a blog post shared, that the database contained around 124 million rows of information for the several thousand clients, and included live insights concerning the webcam —, for example, its location, whether the microphone was active, and the name of the WiFi network that the camera is connected to — and information about the webcam owner, such as email addresses. Paine additionally discovered proof of the camera uploading captured stills from the webcam to the application's cloud, however, he was unable to confirm since the links had expired.
He likewise discovered hardcoded credentials in the database for the application's MQTT server, a lightweight messaging protocol often used in internet-connected devices. Paine didn't test the credentials (as doing so would be unlawful in the U.S.), yet alerted the application creator about the vulnerability, who at that point changed the password. Paine checked that the database was updated live by signing up with a new account and looking for his data in the database. Albeit the information was restricted in sensitivity, Paine cautioned that a malevolent hacker could create persuading phishing emails, or utilize the data for extortion.
In his report on the matter, Paine pointed out that the data contained in the database distinguished between Adorcam's Chinese clients and its clients outside of China, saying, “One interesting detail about this database was that the user information was split between Chinese users and "abroad" users. For example: request_adorcam_cn_user vs. such as request_adorcam_abroad_user. Adorcam almost certainly has breach disclosure obligations based on what appeared to be a global user base. If they had users within the EU they absolutely have an obligation.”