Emerging Indian social media app Slick exposed for months an internal database storing users’ personal information, including information on school-aged children.
Since at least December 11, a database including the complete names, mobile phone numbers, birth dates, and profile images of Slick members was left unprotected online.
Bengaluru-based Archit Nanda, a former executive at Unacademy, established Slick in November 2022 after turning away from cryptocurrencies and closing his previous firm, CoinMint. His most recent endeavor, Slick, is available on both Android and iOS and functions similarly to Gas, a successful U.S. app based on compliments. The application also enables high school and college students to converse with and about their friends incognito.
Anurag Sen of CloudDefense.ai, a security researcher, discovered the unsecured database and requested TechCrunch for assistance in reporting the matter to the social media business. Slick protected the database following a reach out on Friday.
Due to a misconfiguration, anyone with knowledge of the database’s IP address was able to access the database, which had more than 153,000 user entries at the time it was secured. TechCrunch also discovered that the database was accessible via an easily guessed subdomain on Slick’s main website.
The researcher also alerted India’s computer emergency response team, often known as CERT-In, which is the country’s primary cybersecurity body.
Nanda confirmed that Slick has resolved the vulnerability. It is unknown whether anyone except Sen discovered the database before it was secured.
Upon its debut in India last year, Slick quickly garnered a large number of younger users. Nanda announced on Twitter earlier this month that the app had surpassed 100,000 downloads.