If you spent any time on social media over the holidays, you likely encountered Popsugar’s Twinning app, a tool that analyzes a selfie to determine which celebrity you most resemble. The results were, as is often the case with these kinds of tools, either comically generous or shockingly cruel, but they nevertheless satiated a curiosity that served to override the nagging voice in your brain reminding you that uploading personal things is actually bad.
TechCrunch reports that, surprise, Popsugar’s tool didn’t much care what happened to your selfies after you uploaded them, meaning they were downloadable by just about anyone. Apparently, the photos are stored in a “storage bucket” hosted on Amazon web services, the web address of which was right there in the code on the tool’s website.
“We verified the findings by uploading a dummy photo of a certain file size at a specific time,” TechCrunch wrote. “Then, we scraped a list of filenames uploaded during that time period from the bucket’s web address, downloaded them and found our uploaded image by searching for that photo of a certain file size.”
In response to TechCrunch’s piece, Popsugar locked down the bucket and confirmed that “the bucket permissions weren’t set up correctly.” Way to go, guys.
This isn’t a huge deal, what with the majority of users posting their results for the public to see anyway. Selfies, after all, obviously aren’t as much of a security risk as one’s passwords or account numbers. Still, it serves as a reminder that it’s not just Facebook, Uber, and Trump dating sites that are oozing your data, but also even the most harmless-looking quizzes and tools.
Next time, just trust Grandma when she says you look just like Brad Pitt.