Peekaboo Moments baby-recording app has a bad database booboo

No need to wait until you’ve gurgled out of your mother’s womb to experience the joys of having your privacy breached, thanks to a mobile app called Peekaboo Moments.

Bithouse Inc. – the developer of the mobile app, which is designed to capture photos, audio, weight, length, video and diaries of tots starting as early as their zygote days – has left an Elasticsearch database flapping wide open, leaving thousands of infants’ videos and images exposed, unsecured and up for babbling its contents to any internet busybody who knows where to look.

The database was discovered by Dan Ehrlich, who runs the Texas-based cybersec startup Twelve Security. Ehrlich told Information Security Media Group (ISMG) that the 100GB database contains more than 70 million log files, with data going back as far as March 2019. The logs record when someone uses the Peekaboo app, what actions they took and when.

And my oh my, what actions you can take! As the Peekaboo Moment developer croons on the app’s Google Play listing, users can…

Take photos, videos for your little ones! Starting from pregnancy, newborn to every first ‘papa’ & ‘mama’, these memories will be auto-organized by age of child.

Users can also record the weight, length and birth dates of their babies, as well as their location data, in latitude and longitude, down to four decimal points: an accuracy that translates to within about 30 feet. In other words, this could be Baby’s First PII Breach.

The open database has exposed at least 800,000 email addresses, detailed device data, and links to photos and videos. The frosting on the cupcake: Ehrlich found that the Peekaboo Moments’ API keys for Facebook – which enable users to take content they’ve uploaded to Facebook and post it in the Peekaboo app – have also been exposed, potentially enabling an attacker to get access to content on users’ Facebook pages.