Security researchers have uncovered a major data exposure linked to apps distributed via the Google Play Store, raising fresh concerns about the risks posed by unvetted AI tools.
One app at the centre of the controversy, Video AI Art Generator & Maker, has been installed more than 500,000 times and amassed over 11,000 reviews. According to a report cited by Forbes, the app leaked more than 1.5 million user images, over 385,000 videos and millions of AI-generated files.
Researchers found that a misconfigured Google Cloud Storage bucket allowed unauthenticated access to stored media. In total, more than 12TB of data — representing 8.27 million files accumulated since the app’s launch on June 13, 2023 — was reportedly exposed.
The app no longer appears publicly searchable on the Play Store following disclosure of the issue.
KYC data also exposed
The situation worsens with a second app from the same developer, IDMerit, which reportedly exposed Know Your Customer, or KYC, data. KYC information includes identity documents, addresses, phone numbers and other personally identifiable details required by financial institutions to verify customers.
The exposed data allegedly affected users in the United States and at least 25 other countries, including Germany, France, China and Brazil. Reports described the leak as a “treasure trove” of personal information.
The developer behind both apps, Codeway, has since secured access to the affected IDMerit data as of February 3, according to researchers. However, the scale of the exposure highlights systemic weaknesses in app security practices.
The hardcoding problem
Much of the risk stems from a widely criticised development practice known as hardcoding secrets. This involves embedding sensitive credentials such as passwords or encryption keys directly into an app’s source code. If exposed, these keys can be harvested by automated bots scanning public repositories such as GitHub — sometimes within seconds.
Cybernews researchers found that 72 per cent of the Play Store apps they analysed contained similar vulnerabilities.
How to reduce your risk
Users should exercise caution before installing AI editing or identity verification apps, particularly lesser-known ones. Checking a developer’s portfolio can offer clues. A large number of near-identical apps may suggest a volume-driven approach rather than a security-focused one.
It is also advisable to look for Google’s “Verified Developer” badge on the Play Store, review app permissions carefully and avoid uploading sensitive identity documents unless absolutely necessary.
Discover the latest Business News, Sensex, and Nifty updates. Obtain Personal Finance insights, tax queries, and expert opinions on Moneycontrol or download the Moneycontrol App to stay updated!
Find the best of Al News in one place, specially curated for you every weekend.
Stay on top of the latest tech trends and biggest startup news.
