Video streaming platform Lionsgate Play exposed sensitive data on millions of its users that was stored on an unprotected ElasticSearch instance, Cybernews research team has found.
The vulnerable instance contained 20GB of server logs with nearly 30 million entries. Some of the data dates back to May 2022, and included user IP addresses as well as information on user devices, operating systems, and web browsers.
“Logs also leaked the platform’s usage data, typically used for analytics and performance tracking. URLs found in logs contained titles and IDs of what content users watched on the platform, along with search queries entered by the users,” the researchers said.
In addition, the team discovered unidentified hashes with logged HTTP GET requests, which are user-made requests for data, stored on the server. While the team could not determine the exact purpose or usage of the hashes, they note that all hashes contain more than 156 characters.
“Hashes didn’t match any commonly used hashing algorithms. Since these hashes were included in the HTTP requests, we believe they could have been used as secrets for authentication, or just user IDs,” said researchers.
The team contacted Lionsgate about the leak, and the exposed instance has since been secured.
Cybernews notes that while the exposed data is not personally identified information, it still could be used in targeted attacks, especially when combined with other leaked or publicly available information.