Photo Graphic Snap

AI Image App Leaks 1.5 Million User-Generated Photos

An Android app that promised AI-powered photo and video makeovers instead left a large volume of user content publicly exposed, according to researchers from Cybernews.

An app called Video AI Art Generator & Maker, which has been downloaded more than 500,000 times from the Google Play Store, leaked user data through a misconfigured Google Cloud Storage bucket. The bucket required no authentication, allowing anyone who discovered it to access the stored files.

Cybernews reports that the exposed storage contained more than 1.5 million user-uploaded images and over 385,000 user-uploaded videos. In addition, it held millions of AI-generated files, including approximately 2.87 million AI-generated images, 2.87 million AI-generated videos, and over 386,000 AI-generated audio files. In total, the bucket stored about 8.27 million media files amounting to more than 12 terabytes of data.

The app, which offered cinematic-style AI makeovers for photos and videos, launched in mid-June 2023. The researchers found that the storage bucket appeared to contain every file uploaded since the app’s launch, with the oldest files dating to just before it became publicly available.

The database was allegedly linked to Codeway Dijital Hizmetler Anonim Sirketi, a private company registered in Turkey. However, the app was not visible on the developer’s official website, and Codeway’s public Play Store profile listed only a small number of other apps. Cybernews notes that another app associated with the company, Chat & Ask AI, had previously been found to expose a large volume of user messages due to a separate backend misconfiguration.

After Cybernews contacted the developers behind Video AI Art Generator & Maker, they secured the exposed database shortly afterward.

“This data leak shows how some AI apps prioritize fast product delivery, skipping crucial security features, such as enabling authentication for the critical cloud storage bucket used to store user data, including images and videos,” the researchers say.

The researchers warn that many AI apps store sensitive user uploads alongside AI-generated content and often embed secrets such as API keys or passwords directly into their code. Cybernews found that roughly 72 percent of the hundreds of Google Play apps it analyzed showed similar security vulnerabilities, raising concerns about how safely user data is handled across the rapidly growing AI app ecosystem.

Image credits: Header photo licensed via Depositphotos.