A number of popular “camgirl” sites have exposed millions of sex workers and users after the company that manages the sites left the main database unprotected.

The sites, managed by Barcelona-based VTS Media, include amateur.tv, webcampornoxxx.net, and placercams.com. Most of the users of the sites are based in Spain and Europe, but we found evidence of users around the world, including the United States.

According to Alexa traffic ranking, amateur.tv is one of the most popular in Spain.

The database, containing months of daily logs of site activity, was left without a password for weeks. These logs included detailed records of when users logged in – including usernames and sometimes their user agents and IP addresses, which can be used to identify users. The logs also included users’ private chat messages with other users, as well as promotional emails they received from different sites. The logs even included failed login attempts, storing usernames and passwords in plain text. We have not tested the credentials as it would be illegal.

None of the data was encrypted.

The exposed data also revealed which videos users were watching and renting, exposing issues and private sexual preferences.

Overall, the logs were detailed enough to see which users were logging in from, from where, and often their email addresses or other identifiable information – which in some cases we could associate with actual identities.

Not only were users affected, but “adult cam sites” – who broadcast sexual content to viewers – also had some of their account information exposed.

The database was closed last week, which allowed us to publish our results.

The “camgirl” site, which exposed millions of user and sex worker account data by not protecting a backend database with a password. (Image: TechCrunch)

Researchers from Condition: Black, a cybersecurity and internet freedom company, discovered the exposed database.

“It was a serious technical and compliance failure,” said John Wethington, Founder of Condition: Black. “After reviewing the site’s data privacy policy and terms and conditions, it’s clear that users probably had no idea that their activities were being monitored at this level of detail.”

“Users should always consider the implications of their data leak, but especially when the implications could be life changing,” he said.

Data exposures – where companies inadvertently leave their own systems open to everyone – have become increasingly common in recent years. Dating sites are among those that contain some of the most sensitive data. Earlier this year, a 3Fun group dating site exposed over a million user data, allowing researchers to view real-time locations of users without permission. These security holes can be extremely damaging to their users, exposing private sexual encounters and preferences known only to the users themselves. The following benefits the 2016 business-focused site hack Ashley Madison caused families to break up and several suicide reports linked to the breach.

An email to VTS Media bounced back over the weekend. Hector Ros Oliver, a spokesperson for the company, made several denials in a statement published monday.

Since the company and its servers are located in Europe, exposure of sexual preferences would fall under the “special categories” of GDPR rules, which need more protections. Companies can be fined up to 4% of their annual revenue for GDPR violations.

A spokesperson for the Spanish Data Protection Authority (AEPD) did not respond to a request for comment outside of office hours.


Do you have any advice? You can send advice securely via Signal and WhatsApp at +1 646-755-8849. You can also send PGP email with fingerprint: 4D0E 92F2 E36A EC51 DAAE 5D97 CB8C 15FA EB6C EEA5.

Source link

About The Author

Avatar

Related Posts

Leave a Reply

Your email address will not be published.