Oyetalk, the Android Voice Chat App With 5M Downloads Leaked Private User Conversations

OyeTalk, a popular app for voice chats, left user chats unencrypted and stored them on an unprotected database without a password.

With over five million downloads on the Google Play Store and a 4.1 out of 5-star rating from 21,000 reviews, OyeTalk is a popular voice-chat app. The platform enables users to engage in discussion rooms on diverse topics and host podcasts. The app is promoted on the website as one of the fastest-growing audio talent-hosting applications, which can be downloaded in over 100 countries.

Unprotected access to Firebase, Google’s mobile application development platform that provides cloud-hosted database services, caused data leakage. Over 500MB of data, including unencrypted user chats, usernames, and cell phone International Mobile Equipment (IMEI) numbers, was exposed.

Furthermore, it was reported that sensitive hardcoded data, such as Google API (application programming interface), was present on the client side of the app. This is considered unsafe because it can be easily accessed through reverse engineering.

Before the most recent data leak, the OyeTalk app had already experienced prior security breaches. According to an investigation, an unidentified party previously identified and flagged the app’s database as susceptible to data leaks. This discovery was likely made without malicious intent. The database also had specific fingerprints, referred to as „Proof of Compromise (PoC),“ which are typically used to indicate open Firebases.

According to CN, “hardcoding sensitive data into the client side of an Android app is unsafe, as in most cases it can be easily accessed through reverse engineering. In the past, this sloppy security practice has been successfully exploited by threat actors in other apps, resulting in data loss or complete takeover of user data stored on open Firebases or other storage systems.”

Although the app developers were notified of the data leak, they neglected to restrict public access to the database. However, since the extent of the leak was significant, Google’s security measures intervened and terminated the instance. A notification was issued indicating that the dataset was too voluminous to download in a single attempt.