#Twinning was spilling your data

Seeing a timeline of people merrily uploading their photos to Popsugar’s #Twinning app yesterday prompted me to go full Scrooge:

But, after poking around at Popsugar’s privacy policy, there was nothing out of the ordinary in there. I mean, they’re still sharing user data with advertisers, but no more than any other site of its kind. So I didn’t say any more.

But then, TechCrunch did some real digging into the site’s code, and found:

All of the uploaded photos are stored in a storage bucket hosted on Amazon Web Services. We know because the web address of the bucket is in the code on the Twinning tool’s website. Open that in your web browser, and we saw a real-time stream of uploaded photos.

Oh well.

The hole does appear to be fixed. No real harm done, I suppose – those pictures are being uploaded by people presumably with the very intention of sharing them on social media, so it’s hardly data breach of the year (there’s still time for one more whopper, as I write this).

I must ask, though: how often will we continue to see major data breaches occurring thanks to misconfigured AWS buckets/open AWS database information? Uber, GoDaddy, Verizon, Accenture, the NSA … and many more … all due to mismanaged AWS accounts.

Dear companies that hold our data: In 2019, do better.