A marijuana-enthusiast website that allows members to watch drug-related videos and movies while taking part in real-time chat was found to be leaking millions of messages from more than 44,000 users on to the open web.
The website in question, entitled TheTreesNetwork, is a niche internet community that launched in March 2015, which not only streams movies but lets users submit their own content. The website states: "Grab your favourite piece and chill with some friends while smoking and watching videos together! If this is your first time visiting, make sure to introduce yourself!"
The flaw was uncovered by MacKeeper security researcher Chris Vickery, who has become well-known for using the Shodan search engine to locate unprotected databases leaking sensitive data online.
In this instance, Vickery said that more than 10 million chat messages were leaked – bad news for users discussing a drug that remains illegal in many countries across the world. What's worse for members of the online community, the database appeared to show that TreesNetwork keeps full logs of its users' IP addresses.
"Even if you are chatting under a pseudonym, all it would take is a subpoena to your internet service provider to find out who you are," Vickery warned. "I'm willing to bet that some of those chats would qualify as self-incriminating."
The security issue was disclosed to the website on 8 May 2016 and came in the form of an unprotected MongoDB database, Vickery explained, before posting screenshots of the database folders. They included data on apps (2GB), users (36.5MB), messages (7.3GB) and images (16KB). The flaw was publicly disclosed on 16 May.
To report the breach, Vickery casually joined the main chat room and told members their data was leaking to the web. He explained: "After joining the chat, I wrote: 'What would you do if I had proof that this site is leaking user details?'. The response from the crowd was basically, 'Prove it.' So, I did, by posting an Imgur.com link to an image showing an overview of the database.
"Personally, I have no feelings one way or the other regarding marijuana usage. But I do have a soft spot in my privacy-loving heart for people who may be saying incriminating things in an online chat without knowing that logs are being kept and their identities could be easily compromised by a breach."
The website administrator was quick to fix the problem and the security issue is now believed to be fully resolved. Additionally, passwords found in the database were protected with a strong form of encryption called 'bcrypt', and as a result could not be easily compromised. Vickery added: "The lesson to learn here is to always be careful about what you say online. You never know when it might come back to haunt you."