Data of 31 million users of iPhone add-on keyboard ai.type potentially leaks
Conflicting accounts have emerged about a security breach involving the ai.type add-on keyboard for iOS and Android, with researchers claiming that 31 million people's data has been compromised -- with a user's contacts also potentially included in the leak.
The Kromtech Security Center discovered on Tuesday that a MongoDB database used to collect data on ai.type keyboard users was misconfigured, and was available on the internet. Contained in the database is reportedly "data and details of 31,293,959 users" of the ai.type keyboard.
According to the researchers, user information includes phone numbers, full names, device name and model, mobile network name, SMS number, screen resolution, user languages enabled, Android version, IMSI number, IMEI number, emails associated with the phone, country of residence, links and the information associated with the social media profiles including birthdates and photos, IP, and location details.
Making the situation worse, it appears that 6.4 million records contained data gleaned from a user's Contacts, including names and phone numbers, leading to a total of 373 million records in the briefly publicly available database.
Other information in the database includes average messages per day, words per message, and ages of users.
"It is logical that anyone who has downloaded and installed the Ai.Type virtual keyboard on their phone has had all of their phone data exposed publicly online. This presents a real danger for cyber criminals who could commit fraud or scams using such detailed information about the user," said Kromtech's Head of Communications Bob Diachenko. "It raises the question once again if it is really worth it for consumers to submit their data in exchange for free or discounted products or services that gain full access to their devices."
Upon installation, ai.type asks for "Full Access." If permission is granted, the add-on keyboard can transmit absolutely anything typed through the keyboard to the developer. However, the company claims that it will never use personal information it collects -- but if Kromtech is correct, the company appears to have stored a fair amount of information from the user's device anyhow.
Ai.type tells a different story about the data contained in the database -- but does not deny that a database was available publicly for a period of time.
Speaking to the BBC, Chief Executive Eitan Fitusi says that the stolen information was a "secondary database." Additionally, he claims that the IMEI information was never collected by the company, user data collected only involves what ads are clicked by the user, and that the location data wasn't accurate.
Fitusi claims that the database has been secured since the breach.
The company that found the database, Kromtech, is the company that develops and sells the poorly regarded MacKeeper suite of applications.
The Kromtech Security Center discovered on Tuesday that a MongoDB database used to collect data on ai.type keyboard users was misconfigured, and was available on the internet. Contained in the database is reportedly "data and details of 31,293,959 users" of the ai.type keyboard.
According to the researchers, user information includes phone numbers, full names, device name and model, mobile network name, SMS number, screen resolution, user languages enabled, Android version, IMSI number, IMEI number, emails associated with the phone, country of residence, links and the information associated with the social media profiles including birthdates and photos, IP, and location details.
Making the situation worse, it appears that 6.4 million records contained data gleaned from a user's Contacts, including names and phone numbers, leading to a total of 373 million records in the briefly publicly available database.
Other information in the database includes average messages per day, words per message, and ages of users.
"It is logical that anyone who has downloaded and installed the Ai.Type virtual keyboard on their phone has had all of their phone data exposed publicly online. This presents a real danger for cyber criminals who could commit fraud or scams using such detailed information about the user," said Kromtech's Head of Communications Bob Diachenko. "It raises the question once again if it is really worth it for consumers to submit their data in exchange for free or discounted products or services that gain full access to their devices."
Upon installation, ai.type asks for "Full Access." If permission is granted, the add-on keyboard can transmit absolutely anything typed through the keyboard to the developer. However, the company claims that it will never use personal information it collects -- but if Kromtech is correct, the company appears to have stored a fair amount of information from the user's device anyhow.
Ai.type tells a different story about the data contained in the database -- but does not deny that a database was available publicly for a period of time.
Speaking to the BBC, Chief Executive Eitan Fitusi says that the stolen information was a "secondary database." Additionally, he claims that the IMEI information was never collected by the company, user data collected only involves what ads are clicked by the user, and that the location data wasn't accurate.
Fitusi claims that the database has been secured since the breach.
The company that found the database, Kromtech, is the company that develops and sells the poorly regarded MacKeeper suite of applications.
Comments
I do like the (well deserved) dig at Kromtech in the last line, however.
https://play.google.com/store/apps/details?id=com.aitype.android.emojinew&hl=en
Personally I love the Apple implementation of requiring their keyboard when entering passwords. I don’t use any other keyboards but I tried swipe years ago. My android friends kept raving about swiping but it just didn’t get me. The walled garden works for me.
“Free” always makes me wonder what the TRUE cost is.
https://a-i-type-keyboard-free.en.uptodown.com/android
Might be the only one, but since this outfit seems to have been harvesting user info for some reason, my guess is that they’ll be aiming for as wide a distribution as possible.
1. Apple should not have allowed the use of any third party keyboard in their iOS products.
2. Any sane person should not be using a third party keyboard, even after Apple allowed that.
But muh customization! SMH
Turns out you have to know what you are doing BEFORE you start handling sensitive information for your clients. What a new idea that is.
But here is a shocker. Even if their keyboard turns out to be crap, and then don't see another download in months, they will just open another developer account and write another keyboard exactly like the one before! And the "tech-savvy" people will download it again, while mumbling incoherently about oppressive Apple and lack of customization in their products. Sigh.
I highly doubt the same information was available from any iOS version.
There's a good read which explains the potential iOS app problems here:
https://zeltser.com/third-party-keyboards-security/