On the face of it, it sounded like a good idea.
A smartphone app, disguised as a regular app delivering the top world, sports, and entertainment news, containing a secret feature that allows victims of domestic abuse to send a covert distress call for help at the touch of a button.
That was the idea behind the free Aspire News App, launched some years ago by When Georgia Smiled, a US non-profit founded by Robin McGraw and her husband US TV star “Dr Phil” to help victims of domestic violence and sexual assault.
To be honest, that still sounds like a good idea to me – if the app is coded well, and if any data it collects is properly secured.
But what isn’t a good idea is for voice recordings made by the app to be left exposed on an unsecured Amazon Web Services (AWS) S3 bucket, allowing anyone with internet access to download them and listen if they so wish.
According to security researchers at VPN Mentor, who found the exposed data, over 4,000 voice recordings of emergency messages left by victims of domestic violence were available to access – no password required.
Some of the 230MB worth of recordings included personally identifiable information such as names, home addresses, as well as the identities of violent abusers.
Transcripts of just two of the recordings that were exposed reveal the seriousness of the situation:
“[Full Name] is threatening or hurting me. Please send help now. [Full address]”
“Please call the police right away and have them come to [Full Address]. I am in great danger. I need you to send the police right away, please…”
Potentially, if the information fell into the wrong hands it could not only expose people who did not want the data revealed at the risk of extortion, but it could also put victims in greater physical danger if their abuser found out.
The researchers attempted to reach out to When Georgia Smiled and the Dr. Phil Foundation to get the serious data breach fixed last Wednesday, but ultimately it took the involvement of AWS itself to get the unsecured web bucket shut down.
So, that’s a happy end to the story, right?
Well, perhaps not.
You see, a security failure like this could lead to victims of domestic abuse losing confidence in Aspire News App. If they do not feel safe any longer using the app, they may find it harder to escape abusive relationships safely.
That clearly wasn’t what Dr Phil and his wife Robin McGraw wanted – the Aspire News app was supposed to help people escape dangerous situations, not make it even harder to find a way out.