Indian social media app Slick revealed children’s user data • Zoo House News

Rising Indian social media app Slick left an internal database of users’ personal information, including schoolchildren’s data, publicly available on the web for months.

Since at least December 11, a database of full names, cell phone numbers, dates of birth and profile pictures of Slick users without a password has been online.

Bengaluru-based Slick was launched in November 2022 by former Unacademy Executive Director Archit Nanda after he turned his back on crypto and shut down his previous startup CoinMint. His latest venture, Slick, is available for both Android and iOS and works similarly to Gas, a compliment-based app popular in the US. The app also allows students to talk anonymously to and about their friends.

security researcher Anurag Sen from CloudDefense.ai found the exposed database and asked Zoo House News for help in reporting the incident to the social media startup. Slick backed up the database shortly after Zoo House News got in touch on Friday.

Due to a misconfiguration, anyone familiar with the database’s IP address could access the database, which at the time of the backup contained entries from over 153,000 users. Zoo House News also found that the database could be accessed via an easy-to-guess subdomain on Slick’s main website.

The researcher also informed the Indian Computer Emergency Response Team, known as CERT-In, the country’s leading authority for handling cybersecurity issues.

Nanda confirmed to Zoo House News that Slick fixed the reveal. It is not known if anyone other than Sen found the database before it was backed up.

Slick attracted many younger users in India shortly after its debut last year. Earlier this month, Nanda took to Twitter announce that the app has exceeded 100,000 downloads.