Cameo is a delightful app. You can pay D-list celebrities—the tier of folks you’d watch on The Masked Singer or some other ridiculous reality show—to record personalised videos for you and your friends. Prices per video depend on each celeb’s rates, but paying a Real Housewife to send a surprise birthday greeting to a Bravo-obsessed loved one is almost priceless.
Except those private video greetings weren’t actually private at all. It turns out that Cameo is kind of a disaster when it comes to security, according to a Motherboard report.
Motherboard discovered two separate issues, thanks to a tip-off from an anonymous researcher.
The first issue seems to be the result of a strange but intentional decision. Cameo allows users to create and share links to videos without requiring a password to view those videos. That includes videos that users mark as private, which just means that they’re not publicly listed on a celebrity’s profile. Motherboard was able to run a script to find private videos on Cameo—ones that, ostensibly, the user who requested them had no intention of being publicly viewable.
But Cameo also exposed user email addresses, phone numbers, in-app messages, and salted and hashed passwords by storing the credentials to its Amazon server in the Android version of the company’s app code.
“Cameo recently learned of a vulnerability in one of our databases from a third party security data researcher potentially affecting a limited amount of account holder data,” the company said in a statement to Motherboard. “Our team promptly fixed the issue. After thoroughly investigating the matter, we are currently not aware of any evidence indicating that anyone else other than the security researcher knew of or utilised the vulnerability. The trust of our community and data security are top priorities for Cameo. We are continuing to actively investigate the issue and continuously investing in data security.”
The company said it has resolved the issue and is notifying affected users.
Motherboard discovered a few other issues with Cameo’s operations. The company stores its privacy policy in a Google doc, which is an interesting decision. The anonymous researcher also provided Motherboard with Cameo’s training video for participating celebrities, which details how they should upload their videos to Telegram instead of directly to Cameo.
So if you want your fave reality star to record a birthday greeting for you, just beware that your personal info—and your video—might be out there for the world to find.