Researchers found that the two AI companion apps left a Kafka Broker instance publicly accessible without authentication or access controls. This security lapse allowed anyone to access real-time data streams containing private messages and media. Both apps were developed by Imagime Interactive Limited, with Chattee Chat having significant popularity in the US. The exposed data, which included NSFW content, was linked to over 400,000 users, revealing IP addresses and unique device identifiers that could potentially be cross-referenced with other breaches to identify individuals.
The incident reveals ongoing privacy vulnerabilities in AI companion apps and underscores the lack of security investment by developers, despite significant revenue. Poorly secured infrastructure like Kafka Broker instances can be easily exploited without sophisticated hacking skills. The exposed data could be misused for harassment, sextortion, financial fraud, and reputational damage. Although the exposure has been closed after responsible disclosure, users face continuing risks if similar misconfigurations persist elsewhere.
The researchers urge users to be cautious about privacy claims by AI companion apps and advise adopting strong security measures such as password changes, two-factor authentication, and identity monitoring after breaches. Developers are urged to adopt proper security configurations to prevent similar leaks, which are avoidable and pose serious user risks. This incident highlights the broader cybersecurity challenges within the digital transformation of AI-based services.
👉 Pročitaj original: Malware Bytes
