Webcam App Data Breach Exposes Thousands of User Accounts

Data Exposure Affects Thousands of Webcam Users

A widely-used webcam application resulted in the unintentional exposure of a user database to the public internet. Critically, the database was left unprotected by a password.

Details of the Data Breach

The exposed Elasticsearch database was associated with Adorcam, an application designed for viewing and managing various webcam models, including Zeeporte and Umino cameras. Security researcher Justin Paine identified the vulnerability and promptly notified Adorcam, leading to the database being secured.

According to a blog post shared with TechCrunch, the database encompassed approximately 124 million data entries pertaining to thousands of users. This included real-time information regarding the webcams themselves.

Information Contained in the Database

The compromised data featured live details about each webcam, such as its geographical location, the operational status of the microphone, and the name of the WiFi network to which it was connected.

Furthermore, the database contained personally identifiable information about the webcam owners, including their email addresses.

Additional Findings

Evidence suggested that the webcams were uploading captured still images to the application’s cloud storage. However, Paine was unable to confirm this due to the expiration of the relevant links.

Hardcoded credentials for the application’s MQTT server were also discovered within the database. This server utilizes a lightweight messaging protocol commonly found in internet-connected devices.

While Paine refrained from testing these credentials due to legal constraints in the U.S., he immediately informed Adorcam of this vulnerability, prompting a password change.

Verification and Potential Risks

Paine confirmed the database was actively updating by creating a new account and successfully locating his own information within it. Although the data wasn't highly sensitive, he cautioned that malicious actors could leverage this information to create sophisticated phishing campaigns or engage in extortion.