Millions of golfer records from the Game Golf app, including GPS details from courses played, usernames and passwords, and even Facebook login data, were all exposed for anyone with an internet browser to see -- a veritable hole-in-one for a cyberattacker looking to build profiles for potential victims, to be used in follow-on social-engineering attacks. Threatpost reports: Security Discovery researcher Bob Diachenko recently ran across an Elastic database that was not password-protected and thus visible in any browser. Further inspection showed that it belongs to Game Golf, which is a family of apps developed by San Francisco-based Game Your Game Inc. Game Golf comes as a free app, as a paid pro version with coaching tools and also bundled with a wearable. It's a straightforward analyzer for those that like to hit the links -- tracking courses played, GPS data for specific shots, various player stats and so on -- plus there's a messaging and community function, and an optional "caddy" feature. It's popular, too: It has 50,000+ installs on Google Play.
Unfortunately, Game Golf landed its users in a sand trap of privacy concerns by not securing the database: Security Discovery senior security researcher Jeremiah Fowler said that the bucket included all of the aforementioned analyzer information, plus profile data like usernames and hashed passwords, emails, gender, and Facebook IDs and authorization tokens. In all, the exposure consisted of millions of records, including details on "134 million rounds of golf, 4.9 million user notifications and 19.2 million records in a folder called 'activity feed,'" Fowler said. The database also contained network information for the company: IP addresses, ports, pathways and storage info that "cybercriminals could exploit to access deeper into the network," according to Fowler, writing in a post on Tuesday. No word on whether malicious players took a swing at the data, as it were, but the sheer breadth of the information that the app gathers is concerning, Fowler noted.
Read more of this story at Slashdot.