Back in 2013, Robin McGraw, wife of U.S. television personality Dr. Phil, launched an app to help domestic violence victims covertly signal for distress. It was quickly heralded as a potential lifesaver for those in harm’s way.
Aspire News, which claims over 300,000 downloads, is disguised to look like an innocuous news reading app that domestic violence victims can use to alert friends and family to abuse or danger. When a victim taps the top bar of the app three times, the app can alert trusted contacts with a prewritten message, a prerecorded voice note and the victim’s precise location by text message to indicate that they need help or are in danger.
But a security lapse meant that those uploaded voice recordings were left exposed on an unprotected cloud server for anyone to access.
Security researchers Noam Rotem and Ran Locar found the exposed recordings and reported the incident. The database was pulled offline shortly after. Rotem and Locar shared their findings exclusively with TechCrunch.
The cloud server contained over 4,000 recordings, dating back to September 2017. The recordings varied in length and nature, but some contained personally identifiable information, such as their name, address and phone number — information that could be relayed to the emergency services.
At least one recording we listened to explicitly stated the name of the victim’s abuser.
Given the sensitivity of the data, we did not reach out to app users for fear that it would compromise their safety.
Instead, we confirmed that the data belonged to Aspire by downloading the app and recording a short voice snippet. When we triggered the alert, we received a text message with a web address to the recording file stored on the cloud server. That means anyone who received a similar link to a recording file could have easily found other recordings simply by shortening the full link.
We asked the foundation run by the McGraws, When Georgia Smiled, how long the cloud server was exposed and if it had plans to inform users of the security lapse, but a representative for the foundation did not comment.
A spokesperson for CBS, which airs Dr. Phil, did not respond to a request for comment.
If you or someone you know needs help, the National Domestic Violence Hotline (1-800-799-7233) provides 24/7 free, confidential support to victims of domestic abuse and violence. If you are in an emergency situation, call 911.
A ‘stalkerware’ app leaked phone data from thousands of victims
Comment