Over 300 million private messages from Chinese users on popular messaging apps were sitting exposed on the internet on Saturday, according to security researcher Victor Gevers, who works for the nonprofit organization GDI. The database of 364 million records left users’ personal identities searchable to anyone who found the IP address, as reported by the Financial Times.
Each record, drawn from apps like WeChat and QQ, also contained personally identifying Chinese citizen ID numbers, photos, addresses, GPS location data, and info on the type of device being used. Worse, the main database also sent the data back to 17 other remote servers, according to Gevers.
To Gevers, it looks like the data ultimately gets distributed to police stations in cities or provinces — the other 17 servers — identifiable by their numerical codes. To be clear, he tells The Verge, “There is no evidence that law enforcement is doing something active with this spoonfed data. But the infrastructure and well-planned data distribution are there.”
“There were chats from teenagers. Direct messages that were supposed to be private,” Gevers says, “I threw a few into Google Translate and shared those to Twitter. But we stopped there — I don’t think Chinese people will appreciate it if we start digging more into their conversations.”
Many of the records contained addresses of internet cafes, indicating that the users might be gamers who frequent these cafes. Internet cafes have often been a target of censorship in China. Some local officials have asked cafes to install software that would track what its users browse.
Gevers first found the leak when monitoring devices through Shodan, a search engine that lets you look up internet-connected devices. According to him, it looked like someone had messed up a firewall configuration, leaving the database exposed. Gevers reached out to a Chinese internet service provider, ChinaNet Online, on Saturday and the database was locked down after a few hours.
One of the multiple intelligence feeds showing the distribution of triggered events routed to the police stations identified by numbers. It's a very effective way of spreading the workload from a single source to multiple operators. It will require tremendous work ethics as well pic.twitter.com/JOXus89GPf— Victor Gevers (@0xDUDE) March 3, 2019
What’s actually surprising in this case was that the information was open to anyone to access. Gevers told Bleeping Computer in an earlier interview, “There is no security. It looks like they have no clue what they are doing.”
When Gevers emailed the Chinese ISP to warn it to secure the data, he included some tips for how to keep the information more secure. He advised the ISP to protect the server with a firewall blocking port or to only accept local connections. “Criminals often target open databases to deploy their activities like data theft or ransom,” he warned the Chinese ISP. “But we also have seen cases where open servers like these are used for hosting malware and botnets.”