Popsugar's Twinning Selfie App Springs A Leak And Exposes Users' Photos
Popsugar is a media company that focuses on trends, fashion, beauty, fitness, and food. Its Twinning app is a photo-matching tool that finds a user’s top-five celebrity “twins”. Users need to simply upload a selfie of themselves from the shoulders up through the #twinning app. They are then able to share their matches on Facebook and Twitter with a URL.
The photos are stored on an Amazon Web Service (AWS) storage bucket. TechCrunch reported that the web address for the storage bucket could be easily found in Twinning’s website code. The publication was able to open a web browser and view the uploaded photos. It confirmed the leak by uploading a few test selfies and noted that others with more malicious plans would be able to easily download the photos.
Popsugar claims that while they post a composite of the user’s and celebrity photos on a public URL, they “only provide this unique URL to you” to share with your friends. This URL can also be easily removed at the user's request. According to their privacy policy, with the exception of the third-party service providers who match the user with their celebrity twins, no one should be able to access your photos without your permission.
The leak was reported to Popsugar, which quickly locked the storage bucket. Vice-president of engineering Mike Patnode noted that “the bucket permissions weren’t set up correctly.” The photos can no longer be effortlessly accessed with a web address.
Popsugar is not the only company to recently compromise their users’ photos. Facebook announced this past month that that a bug allowed third-party apps to access the photos of nearly 6.8 million users. The bug enabled third-party apps to acquire photos from Facebook Stories, the Marketplace, and photos that were uploaded but never posted. This was merely one of the many privacy bugs that Facebook dealt with in 2018.