VPNOverview’s research team recently discovered a cybersecurity flaw that leaked sensitive data from Pinkfong Company apps, including Google login credentials, app settings, and a Slack webhook.
We alerted Pinkfong staff, who immediately sealed the leak. No personally identifiable information from customers was ever exposed in this breach.
Pinkfong, a South Korean company, publishes educational apps for kids, with downloads in the millions. They are also the company responsible for the “Baby Shark Dance” — now YouTube’s most-watched video with over 11 billion views. In addition to educational tools, they also create and publish apps featuring popular characters like Peppa Pig and Bob the Builder.
CMS Bucket Left Open
Our security team discovered an unsecured AWS S3 bucket containing data and scripts belonging to Pinkfong. While examining the bucket, we found what appeared to be data from Pinkfong’s CMS (content management system) used for configuring their apps and hosting streaming content.
Each directory in the bucket held settings, content, and scripts related to their apps.
Many of the scripts we found had plaintext credentials, which exposed some of the Baby Shark developer’s web services.
Google Drive, Gmail, and Slack Credentials Leaked
Some more concerning discoveries include exposed credentials and passwords for Gmail, Google Drive, and Slack. Two separate email accounts had their passwords leaked.
It appeared Pinkfong uses Google Sheets as part of its CMS pipeline and leaked valid OAuth2 keys that enabled access to their Sheets.
“I was surprised to see so many credentials in plaintext,” Aaron Phillips, the cybersecurity professional leading this investigation, said. “Everyone is talking about DevSecOps lately, and I think this breach is a really good illustration of why they’re necessary. You just can’t leave passwords laying around in scripts anymore or store OAuth keys in an unencrypted bucket. Whether it’s a CI/CD pipeline or CMS, that’s asking for trouble.”
When we accessed Pinkfong’s Google Sheets, we also discovered settings for their apps. However, we did not encounter any user information stored there.
Another discovery of note was a Slack webhook and username found in a script.
Timeline
Here is a timeline of events:
| Event | Date | Time |
|---|---|---|
| Our team discovered sensitive files in an open S3 bucket. | August 10, 2022 | 3:30 PM |
| We were able to confirm the files belonged to Pinkfong. | August 11, 2022 | 1:15 PM |
| We notified Pinkfong of the breach via email. | August 12, 2022 | 4:52 PM |
| We sent a second notification to Pinkfong’s email. | August 22, 2022 | 10:50 AM |
| Customer Support replied and gave us a link to a web form, which we used to notify Pinkfong again. |
August 25, 2022 | 9:53 AM |
| Pinkfong secured their bucket and closed the breach. | August 25, 2022 | 10:00 AM |
When asked about the plaintext passwords we found, Pinkfong co-founder and CTO Dongwoo Son said, “These days we don’t put passwords in the script, but there were problems in legacy scripts, so we deleted the files that contain plain passwords.”
The Risk of a Google Drive Breach
Google Drive, like any cloud storage service, can be at risk of leaks if the software is vulnerable or misconfigured. For instance, in 2018, an official software update created a Google Drive security hole via the Google+ API, which exposed the private data of over half a million users.
Being able to access OAuth keys is also dangerous, even if the permissions are segmented out well. We just covered a Microsoft incident relating to the risks of OAuth apps.
In other cases, we’ve seen Google Drive breaches lead to mass-scale identity theft and phishing attacks. But in this instance, that turned out not to be an issue.
DevSecOps and the Hybrid Cloud
Pinkfong’s exposed CMS storage shows why DevSecOps (development, security, and operations) is important when a developer uses a hybrid cloud infrastructure. Every small security flaw is magnified when code is accidentally published on the internet. Best practices, like keeping passwords out of maintenance scripts and encrypting OAuth keys, become critical.
Just days before this report, on Sept. 28, 2022, we covered the Fast Company hack where attackers had commandeered parts of the firm’s CMS to send obscene push notifications to subscribers. Attackers in that case also noted they had access to a Slack webhook, which they said they opted not to use.
While hijacked webhooks pose a phishing risk, specifically, developers at Baby Shark or other apps could have been targeted with social engineering schemes designed to collect additional credentials or data.
Ultimately, no harm was done to Pinkfong’s millions of users. But the company and others like it — with popular apps and an enormous YouTube audience — are a compelling target for cybercriminals. We’re satisfied that Pinkfong was able to close this breach and secure its CMS and cloud services.
