AI Photo ID apps leak sensitive GPS data for millions of users

Popular AI-powered identification apps have exposed the private data of over 150,000 users.

According to a new report by Cybernews, three Android applications used to identify animals and insects are at the centre of the breach. The affected apps include “Dog Breed Identifier Photo Cam,” “Spider Identifier App by Photo,” and “Insect Identifier by Photo Cam.”

Together, these tools have amassed more than two million downloads on the Google Play store.

Researchers found that the leak was caused by a critical misconfiguration in Firebase, a popular backend platform. Insufficient authentication controls allowed the apps’ databases to remain open to the public internet. This lapse enabled anyone to view and even modify sensitive user information without a password.

The leaked data includes email addresses, usernames, and profile photos. More alarmingly, the apps exposed precise GPS coordinates. This location data was likely harvested through app permissions or extracted directly from the metadata of photos uploaded by users.

Security experts warn that this information could be used for stalking, doxxing, or targeted social engineering attacks. By linking usernames and photos to physical addresses, malicious actors could potentially track a user’s movements or identify where they live.

The investigation also uncovered evidence that cybercriminals may have already accessed the information. Each of the exposed databases contained a “poc” (Proof of Concept) entry.

These markers are typically left behind by automated bots that scan the web for unsecured servers, suggesting the data was compromised before researchers arrived.

Beyond these specific apps, the Cybernews team highlighted a broader trend of poor security in the AI sector. Their research into Android AI applications found that 72% contained “hardcoded secrets,” such as API keys and cloud identifiers. These secrets act as master keys that hackers can use to gain deeper access to a company’s infrastructure.

The apps are linked to developers MobilMinds and OZI Technologies. Despite multiple attempts by researchers to disclose the vulnerability, the developers have not responded.

The leak serves as a stark reminder that high download counts do not guarantee security. Experts recommend that users regularly check app permissions and remain cautious about granting location access to niche utility apps.

For those who have used these identifiers, the risk remains high as the data may already be in the hands of threat actors.

https://cybernews.com/security/ai-photo-apps-leaking-gps-data/