Cameo, a popular app that lets you pay celebrities to record short shout-out videos for you, is overrun with security flaws that the service's customers and famous users probably don't know about.
According to a report from Vice, Cameo has exposed a sum of user data because of a "misconfiguration" in its app. The compromised information includes customer's emails and in-app messages. Hashed and salted passwords and phone numbers are allegedly revealed too.
- These are the best password managers
- Just in: Samsung Galaxy Note 20 could be sporting this iPhone-beating surprise
On the celebrity side of Cameo's business, a researcher told Vice they discovered that Cameo videos that are meant to be private can actually be found and downloaded by anyone on the app.
Motherboard, Vice's technology vertical, even wrote code capable of identifying private videos filmed by the likes of rapper Snoop Dogg and comedian Michael Rapaport. All these "private" videos were, in fact, accessible.
It seems Cameo's transactions are designed to be as simple as possible, relying on basic, sendable links to fulfill requests. Anyone with a link for a pending Cameo videos can amend what the chosen celebrity is being asked to speak about, or even cancel the request.
Motherboard editor-in-chief Jason Koebler requested a Cameo video from comedian Gilbert Gottfried to verify its findings. Koebler set the video to private, yet a Motherboard staff writer was able to view Gottfried's message (which intentionally concerns cybersecurity) and download it.
It gets sketchier. Cameo hosts its privacy policy on a Google Doc, while Cameo creators use a messaging app called Telegram to send completed videos.
The researcher who spoke to Vice said the app's code includes credentials that let anyone access Cameo's backend infrastructure and access user data. Motherboard believes these credentials may have been exposed for two years.
Cameo problem 'promptly fixed'
Cameo has since acknowledged the data-security scare. The company said it "promptly fixed the issue" and didn't find evidence that anyone other than the researcher had used the vulnerability.
For safe measure, anyone who has a Cameo account should change their password. Just because Cameo hashes and salts passwords (i.e., stores them in an encrypted form on its servers) doesn't mean your credentials are safe.
Given the dicey infrastructure mentioned above, it's certainly possible the company uses an outdated or weak password hashing algorithm.
As for the question of private videos, Cameo clarified its policies: "A Cameo being classified as ‘private’ pertains to a specific Cameo not being posted on the Cameo platform (meaning the talent’s profiles or other pages).
"Cameo was designed for people to gift and share personalized videos from their favorite talent between friends and family. Both public and private Cameos are intended to be shared socially."
