The Android caller ID app Dalil exposed online data belonging over 5 million users, security experts discovered a MongoDB database left accessible on the web without a password.

The MongoDB behind the Android caller ID app Dalil was left exposed online, at least for a week, without a password, leaving 5 million users accessible on the web without a password.

Most of the data included in the MongoDB belongs to Saudi users, it also included data of Egyptian, Emirates, European, and some Israeli and Palestinian numbers.

Analyzing the data provides a glimpse into why Caller ID apps are the devil incarnate. At each call, the application logs the phone number, IP Address (internal and external). email, SIM ID, IMEI, timestamp, cell ID (location), GPS location, and caller (or callee) name. pic.twitter.com/OgzUehZ1Bi — Ran L 🔥🌉 (@ranlocar) March 4, 2019

The unprotected MongoDB install was discovered by security experts Ran Locar and Noam Rotem, the database contained cell phone numbers, App registration data (full name, email, Viber account, gender, etc.), device info (vendor, model, serial number, IMEI, MAC address, SIM number, OS version, others), telecom operator details, GPS coordinates for some users and logs of the users’ activity (Individual call details and number searches).

The availability of this data represents a serious threat to the privacy of the users, threat actors could use it for surveillance activity.

The availability of GPS data for some users could allow attackers to track them.

The database is 585.7GB in size, during the time the database was left exposed Locar observed a large number of new records that were added, a circumstance that suggests it was the production server used by the Dalil app.

Local also found some encrypted data in the database and also a ransom note, likely a threat actor accessed the archive and attempted to extort money to the company.

“ Locar says that at one point a threat actor also accessed the database, encrypted some of the data, and left a ransom note behind, but Dalil’s IT team didn’t even notice the breach and continued to save new user data and app logs on top of the obviously compromised database.” reported ZDNet.

According to ZDNet the database included 208,000 new unique phone numbers and 44 million app events that were added in the last month.

Lo car reported its findings to the Dalil staff on February 26.

Pierluigi Paganini

( SecurityAffairs – Delil, hacking)

Share this...

Linkedin Reddit Pinterest

Share On