Similar to many other photo sharing apps out there, every image uploaded to the service is stored in the cloud through Amazon Web Services. The difference with Twinning is the web address of this data bucket is available right in the code on the Twinning app’s website. TechCrunch says that when the site is opened in a browser, it’s actually possible to view a real-time stream of the photos being uploaded to the service.
TechCrunch went so far as to verify its findings by uploading a dummy photo with a specific file size. The publication then scraped the list of file names uploaded during that time period, downloaded them, and found that uploaded image available in the site’s code.
TechCrunch says that it reached out to Popsugar regarding the security breach, but initially didn’t hear back when the story was first published.
That said, the user data was locked down shortly after. Mike Patnode, the company’s SEO, also eventually reached out to the publication to confirm that “the bucket permissions weren’t set up correctly.” As it stands right now it looks like the security breach has been fixed.
Twinning works by analyzing a selfie and then comparing to a database of photos of celebrities, resulting in a ‘twinning percentage’ along with your top five celebrity lookalikes.
As security breaches go, this one is relatively inconsequential. After all, most people using Twinning likely publically shared their photo on a social media platform.
Still, this is yet another reminder that free apps are never actually free, as well as that there’s no guarantee how secure your personal data is when you use them.
Twinning is a browser-based app and doesn’t feature a dedicated iOS or Android app.