App that lets you pay celebrities to do custom shout-outs found exposing passwords, email addresses

Cameo app that lets users pay celebrities to do custom shout-outs was found exposing passwords, email addresses, and private videos

  • Cameo was found to have credentials accessible in the code of its app
  • The credentials gave access to Amazon buckets containing user data
  • Data includes email addresses, hashed passwords, and full names
  • Motherboard found that private videos were also accessible 

Celebrity shout-out app, Cameo, has been exposing highly sensitive user data including passwords, email addresses, and even supposedly private videos commissioned through the platform.

According to a report from Motherboard who cited the findings of an anonymous security researcher, the Cameo app, which lets users pay for short shout-out videos from celebrities, contained unsecured credentials that allowed one to access its backend.

Those credentials – available to anyone who opened the Android app up and viewed its code  – gave the researcher access Amazon S3 buckets, online databases operated by Cameo, that contained passowrds hashed and encrypted using a fairly weak process called Salt, phone numbers, email addresses, and names.

Cameo (pictured) is a celebrity shout out app that lets users pay for custom videos. Motherboard reports the app was found exposing private user data including email addresses and passwords

Additionally, the researcher also found that videos recorded by celebrity members of Cameo that were meant to be private were also easily accessible.

In a test conducted by Motherboard which commissioned celebrity voice actor and comedian Gilbert Gottfried to record a video saying ‘cybersecurity is becoming more and more relevant today, what with the apps, and viruses and hackers’ the outlet was able to write script that retrieved allegedly private videos from the platform.

According to Motherboard, the ability to hoover those videos stems from a flaw in the review system which lets one reconstruct a specific URL that is sent to users and allows them to watch their video.

Cameo reportedly instructs celebrities participating in its service to send their video URL’s to a bot on the messaging app Telegram which then relays the message to the end-user.

According to Motherboard, the credentials inside Cameo’s app appear to have been accessible for about two years.

Cameo said that the vulnerability has since been closed. Motherboard reports that it could have been in existence for two years

Cameo said that the vulnerability has since been closed. Motherboard reports that it could have been in existence for two years

‘Cameo recently learned of a vulnerability in one of our databases from a third party security data researcher potentially affecting a limited amount of account holder data,’ Cameo told Motherboard in response to the findings.

‘Our team promptly fixed the issue. After thoroughly investigating the matter, we are currently not aware of any evidence indicating that anyone else other than the security researcher knew of or utilized the vulnerability. The trust of our community and data security are top priorities for Cameo. We are continuing to actively investigate the issue and continuously investing in data security.’