Cybersecurity Flaw at ‘Baby Shark’ App Developer, Pinkfong, Causes Data Leak
The Leak Includes Google Login Credentials, App Settings, and a Slack Webhook.
A recently discovered cybersecurity flaw at the South Korean company Pinkfong lead to a data leak, including Google login credentials, app settings, and a Slack webhook.
The app developer, Pinkfong, has very successful educational applications for children and also apps with popular characters like Peppa Pig and Bob the Builder.
They are the ones who launched the “Baby Shark Dance”, the most popular video on YouTube, with over 11 billion views.
Details About the Flaw
The flaw was discovered by VPNOverview’s research team on August 10, 2022, when they identify an unsecured AWS S3 bucket gathering Pinkfong’s script and data.
Our security team discovered an unsecured AWS S3 bucket containing data and scripts belonging to Pinkfong. While examining the bucket, we found what appeared to be data from Pinkfong’s CMS (content management system) used for configuring their apps and hosting streaming content.
Each directory in the bucket held settings, content, and scripts related to their apps.
What Data Was Leaked
This discovery led to leaked data like credentials and passwords for Gmail, Google Drive, and Slack.
Pinkfong appears to use Google Sheets as a component of its CMS pipeline and leaked viable OAuth2 keys allowing access to their Sheets.
“Everyone is talking about DevSecOps lately, and I think this breach is a really good illustration of why they’re necessary. You just can’t leave passwords laying around in scripts anymore or store OAuth keys in an unencrypted bucket. Whether it’s a CI/CD pipeline or CMS, that’s asking for trouble”, said Aaron Phillips, the cybersecurity professional leading this investigation.
In Pinkfong’s Google Sheets were discovered settings for the company’s apps. And a script held important information like Slack webhook and username.
When contacted by VPNOverview about the flaw, Pinkfong co-founder and CTO Dongwoo Son said, “These days we don’t put passwords in the script, but there were problems in legacy scripts, so we deleted the files that contain plain passwords.”
Fortunately, no personally identifiable information from customers was ever exposed in this breach, as Google Drive breaches could lead to mass-scale identity theft and phishing attacks.
Pinkfong staff, alerted about the flaw, immediately sealed the leak.
If you liked this article, follow us on LinkedIn, Twitter, Facebook, YouTube, and Instagram for more cybersecurity news and topics.