Slick, an upstart Indian social media app, has exposed an internal database containing users’ personal information, including data on children attending school, to the internet for months.
Since at least December 11th, a database containing Slick users’ names, mobile numbers, dates of birth and profile pictures has been left online without a password.
Bengaluru-based Slick was launched in November 2022 by former Unacademy exec Archit Nanda after turning away from cryptocurrencies and shutting down his previous startup CoinMint. His latest venture, his Slick, is available on both Android and iOS and works similarly to Gas, a popular tribute-based app in the US. The app also allows school and college students to anonymously talk to and talk about their friends.
security researcher Anuragsen Slick secured the database shortly after being contacted on Friday by CloudDefense.ai’s . TechCrunch that discovered the exposed database.
A misconfiguration made the database accessible to anyone who knew the IP address of the database. This database contained entries for over 153,000 users at the time he was secured. TechCrunch also found that the database was accessible from a guessable subdomain of Slick’s main website.
The researchers also notified India’s Computer Emergency Response Team, known as CERT-In, the leading agency for handling cybersecurity matters.
Nanda confirmed to TechCrunch that Slick has fixed the exposure. It is unknown whether anyone other than Sen discovered the database before it was secured.
Shortly after debuting last year, Slick attracted many young users in India.Earlier this month, Nanda took to Twitter to announcement Your app has over 100,000 downloads.