Pray.com’s app has been leaking user data according to a new report from security researchers at vpnMentor. Servers hosting the application data were misconfigured and publicly accessible, allowing anyone who found them to extract internal configuration data and personal information – photos, names, emails, home addresses, marital status, and phone numbers – not all of which related to users of the app. When users create a profile, they are asked if they’d like to invite anyone else to use the app. When a user agrees, all of their contacts are uploaded to the application.
Part of the exposed data set were files from churches which provided information about their congregation to Pray.com, which means an individual who has never downloaded the application could have had their data exposed. Also included in the data set were donation records – including the name of the donor, donation amount, and Pray.com processing charge – as Pray.com allows users to donate to a church through the app. Interestingly, while the records show donations being sent to Pray.com, they don’t show Pray.com forwarding them to any churches. This isn’t indicative of anything, as not all of the application’s servers were misconfigured and the data set may be stored somewhere else.
Additionally, while Pray.com took steps to secure these files after collection, the S3 buckets where the files were stored were left unprotected, which opened up the files to being extracted.