
Virtual Keyboard Developer Leaked 31M Client Records - danso
https://mackeepersecurity.com/post/virtual-keyboard-developer-leaked-31-million-of-client-records
======
tambourine_man
These guys write Mac malware for a living and use nefarious tactics to fool
users into installing it, while making it really hard to uninstall. I've seen
it on the Mac of many less technically inclined people.

Things like: “your Mac has been infected, click here” while the user is
downloading some torrent or watching porn. Faking the system's dialog boxes,
using chatbots “is your Mac slow?”, etc.

I'm amazed Apple hasn't banned them from the Mac App Store. I don't know how
these people sleep at night.

~~~
zeep
> I don't know how these people sleep at night.

Are you talking about Apple management or the malware developers?

~~~
erichdongubler
Not the GP, but...yes. ;)

------
lamlam
>When researchers installed Ai.Type they were shocked to discover that users
must allow “Full Access” to all of their data stored on the testng iPhone,
including all keyboard data past and present. It raises the question of why
would a keyboard and emoji application need to gather the entire data of the
user’s phone or tablet?

I have a suspicion that due to how cheap bulk storage is these days, that
companies collect as much information as they can get away with in hopes that
_maybe_ it will be useful one day. That mixed with poor security practices is
just going to keep leading to these sorts of events happening.

~~~
mtgx
This is why I'm a believer in this type of regulation - you have two options:

1) Collect only the data strictly necessary for the functioning of the
service. If you suffer a data breach, you used security best practices, and
notified the corresponding authorities and your users in due time, then you
shouldn't be punished at all, with very few exceptions. If you didn't use best
security practices, you may see some small to moderate fines, depending on
each case.

2) Collect whatever you want (while still mentioning it in your Privacy
Policy, and the whole thing). But if you suffer a data breach, and that data
is exposed, you should need a big fat banking account to survive the fine that
will be imposed on you. The fines should be big enough that they should deter
even the big players from collecting too much of the data they _don 't need_.

~~~
fredley
Absolutely. Good regulation is that which effectively disincentivises anti-
consumer behavior. Businesses are playing risk/reward games all the time, and
regulation should just pile on some huge extra risk in places where it's
needed to protect consumers, and the health of the market as a whole.

~~~
codedokode
This risk/reward mechanism works only for large, established companies. There
is no real responsibility for a startup. If they make a mistake and are
caught, they can shut down the company and start a new one with the same
staff.

------
Animats
This is an Israeli company. What were they doing with the data _before_ they
leaked it? Who were they selling it to?

One of the revelations that came out of the "binary option" fiasco is that
it's legal in Israel to scam non-Israelis.[1] Financed by the binary option
industry, which is 40% of Israel's financial sector, Israel's organized crime
sector has become much larger. They need sucker lists for marketing. Data from
phones is a good way to figure out who has spare cash.

Although a recent law change in Israel is expected to shut down the binary
option industry next January, the law is very narrow. The scammers are moving
to "forex" and initial coin offerings.[2]

[1] [https://www.timesofisrael.com/knesset-committee-to-vote-
mond...](https://www.timesofisrael.com/knesset-committee-to-vote-monday-on-
watered-down-binary-options-bill/) [2]
[https://www.timesofisrael.com/cryptocurrencies-may-be-the-
ne...](https://www.timesofisrael.com/cryptocurrencies-may-be-the-next-big-
israeli-scam-top-regulator-warns/)

------
danso
Note: This story was co-published with ZDNet. I know "MacKeeper" is not a
brand loved by all, but I chose to link the version from the MacKeeper
Security blog rather than ZDNet, because of how the latter blasts users with
an autoplay video: [http://www.zdnet.com/article/popular-virtual-keyboard-
leaks-...](http://www.zdnet.com/article/popular-virtual-keyboard-
leaks-31-million-user-data/)

~~~
tinus_hn
> I know "MacKeeper" is not a brand loved by all

And the understatement of the year award goes to...

------
shadowtree
I am old enough to remember that keyloggers used to be a stealthy install. Now
users install them willingly, giving it full permissions.

What an amazing future we live in.

~~~
noxToken
In the past, a keyboard was a physical thing with keypresses that were just
keypresses. You could pick out what physical keyboard you wanted based on some
preference, but it was up to the OS to determine input events from the
keyboard. It's a whole different ballgame now.

Aside from the spacing/layout/etc. preferences from a soft keyboard, they
function differently. Samsung's default keyboard is by far the worst thing to
work with from a development standpoint. I've never had an issue working with
any other soft keyboard, but the way Samsung handles certain input events is
orthogonal to other major keyboards.

~~~
CodeWriter23
Yeah, well I remember when I had to punch drivers in via the front panel
before I could even use my keyboard.

~~~
codedokode
On the good side, those drivers didn't have Internet connection capability.

~~~
hinkley
Or so you thought.

------
tcd
I wonder from a societal point of view how data is put into the "public" and
"private" camp. This is one of hundreds of leaks, and there are many more
thousands to come over the next decade. It's to the point where I just assume
my contacts, keyboard data, location history, voice searches and more are just
public and somebody has access.

Apple, Google, Microsoft have shown no interest in wanting to actively prevent
these apps from being on the app store [1], [2], try spotting the fakes.

And the fact that there is no legislation against this behaviour, and there's
no real way to punish leaks like this in a purely objective way.

Welcome to the 21st century I guess?

[1]:
[https://fnd.io/#/us/search?mediaType=ios&term=whatsapp](https://fnd.io/#/us/search?mediaType=ios&term=whatsapp)

[2]:
[https://play.google.com/store/search?q=whatsapp%20messenger&...](https://play.google.com/store/search?q=whatsapp%20messenger&c=apps)

~~~
Sylos
Well, privacy is not binary. Nothing is ever fully public or fully private.
Something being more or less private just describes how hard it is for someone
to get this information. The inertia of this information.

Do they have to drive to your house to find out where they can break in or can
they see from Google StreetView? Do they have to collect a whole bunch of
phone books to find out your name+number or is it readily available in a
dataset online? Can they just access your PC without hindrance or do they need
to strap you to a torture rack to get your password out of you?

And just as well, information loses value over time. Either because it's not
anymore correct / particularly relevant, or because it's covered up by more
accessible information.

Why worry about fingerprinting one user's browser when billions of people
don't even clear their cookies? Why sift through a data leak of 10000 people
when a data leak with millions of people is just as well available? Why try to
steal the identity of that guy who's data got leaked in one data leak, if
there's this other guy with cross-referencable entries in 8 data leaks?

As such, it's still always going to be worth something to try to reduce your
data footprint. If you're smarter about your data than most other people are,
you'll stop being interesting to data brokers, because you're just too much
effort.

------
DominoTree
I'm still mostly just wondering why the hell a company that does shady
advertising and pushes adware is doing security write-ups.

~~~
code_duck
"Researchers were able to access the data and details of 31,293,959 users"

Welll... i wonder whether they kept all that data?

------
codedokode
> Summary of what the database contained:

> Phone number,

> full name of the owner,

> IMEI number

> links and the information associated with the social media profiles
> (birthdate, title, emails etc.)

What's wrong with their users? Why would a keyboard app need this information?

At least I would not install an app requiring those permissions. And I allow
the Android phone to connect to the Internet only via my firewall (of course
Google servers are blocked from the start).

~~~
rahul003
You do realize that probably 99.9% users don't go to lengths such as firewalls
to secure their data. People are not that tech savvy in general. Even among
all my tech friends, no one uses VPNs or firewalls.

------
rad_gruchalski
Leaking customer data is one thing but the article mentions the app also
collected contacts from these phones. And that was leaked too!

------
flaxton
Really, you’re going to treat Mac "Keeper", well-known malware, as a legit
source for security info? Really? Really?

------
hectorr1
Can someone clarify whether 'Full Access' allows logging of keystrokes on the
standard keyboard by these developers? Or doe they just get to see which Rick
and Morty gifs I search for when I switch to their board?

~~~
mromanuk
Full Access grants the 3rd party keyboard access to what the user type or
paste, but just for the 3rd party keyboard, not the system or other 3rd party
keyboards. The 3rd party keyboard _can_ send the data to the internet.
Source/Disclaimer: I'm writing an iOS extension Keyboard

------
danjoc
"Data is the new oil."

These are the new oil spills.

------
z3t4
There need to be a limit on telemetry, eg what data programs collects about
you. This is not something new though, but hard drive space is getting cheaper
so it's possible to store even more data. All this data is a gold mine for
marketing, knowing what you search for, what you have on your hard drive, all
your friends, and social contacts.

------
sundvor
That's scary. It also made me think of a certain online only grammar checking
service that sounds like it could be registered in Libya, where _everything_
you type is sent to their service. Madness - in my mind, at least; their site
says nothing about how they protect their customers' data.

------
laythea
The problem is not the software, or how data is handled. There is no such
thing as secure data that has been "published". The problem is people accept
this level of snooping by software or are ignorant to it.

------
cdancette
Does someone know a good keyboard on Android, that doesn't send all your
keystrokes to the internet?

This systematic data collection is really annoying and hard to avoid today.

------
ausjke
2-step authentication is a must these days, when they can leak keyboard
typing, your password becomes useless.

~~~
masswerk
But they are also leaking your phone number next to your keystrokes, so 2FA
based on text messages is also broken. (To attack/reroute SS7, the subscriber
number is all you need – which isn't much of a secret, but mostly public data,
anyway.)

------
deelin
This little comment about Mongo really bothers me... I disagree that it's a
flaw. It's obviously the fault of the tech team for not securing the DB

"One flaw is that the default settings of a MongoDB database would allow
anyone with an internet connection to browse the databases, download them, or
even worst case scenario to even delete the data stored on them"

~~~
ansy
Insecure by default is flawed by default.

Unless a product requires certification to use it can’t rely on expert
knowledge to provide safety.

~~~
deelin
Imagine that you created a tool that had all security features enabled. The
usability of it would be incredibly low and barrier of entry so high that
rarely anyone would use your tool. The idea behind allowing "open access" is
to allow for a new user to learn the most important aspect of your tool by
realizing what problems it solves.

Of course, from a security standpoint, people will still make mistakes like
this, but the onus is NOT on the tool developers. They make it configurable
for a reason.

~~~
ansy
Sorry, a world where every tool is riddled with security holes by default and
every developer needs to learn them inside and out to close them all through
configuration is a ridiculous burden.

Is it really that difficult to require someone to set a secure password before
a product is usable?

