Drupe Android Application Exposed Some Users’ Pictures and Audio Messages

Drupe, an Android application designed to enable communication via phone calls, text messages, and through integrations with social media chat applications such as Skype and WhatsApp, left some of their users’ pictures and audio messages publicly accessible via unsecured Amazon Web Services (AWS) S3 buckets. According to a post published by the Drupe Team on May 7, the flaw only affected those who used the Drupe Walkie Talkie feature to send messages or the Drupe special messaging infrastructure to send images. These features are reportedly utilized by approximately three percent of Drupe users. The NJCCIC recommends administrators of AWS S3 buckets and other cloud databases review our previous NJCCIC Cyber Alert on the risks associated with misconfigured S3 buckets, audit their security settings, and implement the mitigation strategies provided as soon as possible.