Emerging Indian social media app Slick left behind an internal database of users’ personal information, including data from school-aged children, that was publicly displayed on the internet for months.
Since at least December 11, a database with full names, mobile numbers, dates of birth and profile photos of Slick users without a password has been online.
Bengaluru-based Slick was launched in November 2022 by former Unacademy executive Archit Nanda after he switched crypto and shut down his previous startup CoinMint. His latest venture, Slick, is available on both Android and iOS and works similarly to Gas, a compliment-based app popular in the United States. With the app, students can talk anonymously with and about their friends.
Security researcher Anurag Sen found the exposed database and asked AapkaDost for help reporting the incident to the social media startup. Slick secured the database shortly after AapkaDost reached out Friday.
A misconfiguration allowed anyone familiar with the database’s IP address to access the database, which contained data from more than 153,000 users at the time it was secured. AapkaDost also found that the database was accessible through an easy-to-guess subdomain on Slick’s main website.
The researcher also briefed India’s computer emergency response team known as CERT-In, the country’s leading agency for handling cybersecurity issues.
Nanda confirmed to AapkaDost that Slick fixed the exposure. It is unknown if anyone other than Sen found the database before it was secured.
Slick attracted much younger users in India shortly after its debut last year. Earlier this month, Nanda spoke out on Twitter to announce that the app has exceeded 100,000 downloads.