Cybernews also say "there was no way to effectively compare the data between different datasets" which also reeks of bs. If it's all packaged in the url + username + password format they say it is, that's an easy parse, load into database, and query exercise.
A lot here doesn't pass sniff tests.
Probably needless to say, but we strongly advise not using the app, at least until the issues are fixed.
If you have an account and have not done so already, change your password ASAP! If you're worried about your location, go away from home/work, update your location, then don't open the app again
If video is more your style, check @mctoon.bsky.social's video where he covers the findings listed in our repo.
At the time we started investigating the app, it was leaking user passwords (as featured recently in @haveibeenpwned.com)
www.youtube.com/watch?v=71FR...
The first flat earth app we dug into is the "Flat Earth Sun, Moon & Zodiac Clock" app by "Flat Earth Dave" aka DIRTH.
We've published what we've found (and are able to publicly disclose) so far at github.com/globesec/fla...
Most things, least of all the broken auth, have still yet to be fixed.
We're here now! ๐ Our research (so far ๐) is on our Github
github.com/globesec/fla...
New breach: The flat earth sun, moon & zodiac app by "Flat Earth Dave" had 33k unique email addresses breached in Oct. Data included plain text passwords and users' lat and long (their position on the globe). 73% were already in @haveibeenpwned.com. More: www.youtube.com/watch?v=71FR...
I finally got around to creating this account ๐
We're GlobeSec, a collective of developers and #infosec people investigating privacy and security risks in apps made by flat earthers (yes, those people do exist).
We publish our research over on our github github.com/globesec
#introduction
