Popular cloud-based video downloader service Dirpy has been inadvertently exposing its users' sensitive data due to a misconfiguration of its systems, potentially leaving them vulnerable to cyberattacks. The logs, containing a staggering 15.7 million entries of private data, unveiled user IP addresses and their download history — a significant portion of which was explicit content.
Dirpy is an online video downloading service with two million monthly visitors, primarily used for YouTube and adult websites, mostly by people in the US and Japan. On March 24, Cybernews' research team discovered this video downloader had an open Kibana instance without properly set authentication from March 18 to April 24, 2024, according to the team’s research.Â
Kibana is an open-source data visualization tool for creating interactive dashboards that can be accessible to anyone once they’re available online and not secured by authentication. This tool offers powerful search and querying capabilities, report generation, and real-time data monitoring, which led to the video service’s user data being constantly leaked in real-time while the instance was open.
The exposed logs contained URLs of the requested content (most from adult sites) and the corresponding user IP addresses, as well as sensitive data such as sexual orientation, habits, and interests. Dirpy has a free version that does not require an account, but this is not a relief since the exposed IP addresses could potentially be used to identify users, revealing their locations.
The Cybernews team alerted the open Kibana owner, and access to the instance was secured on April 24, 2024. However, it is unknown whether malicious third parties discovered and exploited the database before the leak was detected.
Downloading videos from these platforms without the copyright holder’s permission is generally illegal, but using them for non-commercial purposes is legal, and there’s a high demand for downloading tools, especially for YouTube content.