Pray.com, which offers a Christian faith app that has been downloaded over 1 million times, has been “leaking” user data, researchers from cybersecurity firm vpnMentor told Fox News.
The Pray app is designed for daily prayer, Bible stories and Christian meditation, according to the app’s download page. “It has been incredibly popular since launching in 2016,” vpnMentor said in a research note.
“Pray.com’s developers failed to properly secure vast amounts of data collected from the app,” vpnMentor said, potentially exposing users to fraud and online attacks.
The researchers said they discovered four misconfigured Amazon Web Services (AWS) S3 buckets and identified Pray.com as the owner.
That resulted in “many of the files stored within them [being] publicly accessible to anyone with access to the bucket’s URL (easily obtained),” vpnMentor explained. “Through further investigation, we learned that Pray.com had protected some files, setting them as private on the buckets to limit access.”
AWS S3 buckets are a popular cloud storage solution for many apps and websites, but users must set their own security protocols, vpnMentor said.
The researchers added they have no way of verifying whether data has actually been leaked. “We have no evidence – and no way of knowing – whether the data in our reports has been accessed or leaked by anyone else; only the database owner can know that,” the cybersecurity firm said.
“We don’t know if anyone has actually accessed data and downloaded it,” Ran Locar of vpnMentor’s research team told Fox News in a phone interview. Locar, along with Noam Rotem, led the research team that looked into the data exposure.
The company’s attempts to contact Pray.com. were unsuccessful. “After our first two attempts at contacting Pray.com failed to elicit a reply, we contacted AWS directly to notify them…but there remains no evidence that the [Pray.com] has attempted to resolve the issue,” vpnMentor said.
Fox News has contacted Pray.com but has not yet received a response.
Amazon’s AWS is not responsible for the server misconfigurations cited above, vpnMentor said.
What makes a leak like this dangerous is “most of the people affected don’t even know…they didn’t agree to have their data exposed,” Locar said, adding that user data sometimes contains PIN numbers and credit card numbers among other very sensitive data.
“That stuff also got grabbed and sent to their servers,” Locar added.
“[This is] a very strong privacy lesson,” Locar said. “If an app is asking for permission, it will grab the data and the data is no longer in your control.”
“When using an app on any device, carefully review the permissions it’s requesting and find out for what purpose they’re needed. If an app asks for access that doesn’t make sense, you can refuse,” vpnMentor said in the research note.