Over 300 million private messages from Chinese users on popular messaging apps were sitting exposed on the internet on Saturday, according to security researcher Victor Gevers, who works for the nonprofit organization GDI. The database of 364 million records left users’ personal identities searchable to anyone who found the IP address, as reported by the Financial Time, The Verge writes.
Each record, drawn from apps like WeChat and QQ, also contained personally identifying Chinese citizen ID numbers, photos, addresses, GPS location data, and info on the type of device being used. Worse, the main database also sent the data back to 17 other remote servers, according to Gevers.
To Gevers, it looks like the data ultimately gets distributed to police stations in cities or provinces — the other 17 servers — identifiable by their numerical codes. To be clear, he tells The Verge, “There is no evidence that law enforcement is doing something active with this spoonfed data. But the infrastructure and well-planned data distribution are there.”
“There were chats from teenagers. Direct messages that were supposed to be private,” Gevers says, “I threw a few into Google Translate and shared those to Twitter. But we stopped there — I don’t think Chinese people will appreciate it if we start digging more into their conversations.”
Many of the records contained addresses of internet cafes, indicating that the users might be gamers who frequent these cafes. Internet cafes have often been a target of censorship in China. Some local officials have asked cafes to install software that would track what its users browse.
Gevers first found the leak when monitoring devices through Shodan, a search engine that lets you look up internet-connected devices. According to him, it looked like someone had messed up a firewall configuration, leaving the database exposed. Gevers reached out to a Chinese internet service provider, ChinaNet Online, on Saturday and the database was locked down after a few hours.
It’s pretty common for the Chinese government to monitor or otherwise outsource monitoring of internet users’ conversations to ensure nothing untoward is said. Chinese tech companies are similarly straightforward in terms of use over the type of data collection that occurs on apps and websites.
For instance, the biggest social media app, WeChat, states in its privacy policy that it collects user data to “comply with applicable laws and regulations.” This has led to criticism and speculation from prominent figures, like businessman Li Shufu, who said that Tencent CEO Ma Huateng “must be watching all our WeChats every day.” WeChat has publicly denied the accusations.
What’s actually surprising in this case was that the information was open to anyone to access. Gevers told Bleeping Computer in an earlier interview, “There is no security. It looks like they have no clue what they are doing.”
When Gevers emailed the Chinese ISP to warn it to secure the data, he included some tips for how to keep the information more secure. He advised the ISP to protect the server with a firewall blocking port or to only accept local connections. “Criminals often target open databases to deploy their activities like data theft or ransom,” he warned the Chinese ISP. “But we also have seen cases where open servers like these are used for hosting malware and botnets.”
Companies can also end up paying millions to settle charges brought by US authorities.