Dalil which is an Android caller ID app similar to Truecaller but for Saudi and other Arabian users was found to be leaking user data for over a week due to a MongoDB database which was available online and could be accessed without a password.
This breach was found by security researchers Ran Locar and Noam Rotem, and the database includes the app’s entire data comprising of user personal details, activity logs etc.
The database contained information such as:
- User cell phone numbers
- App registration data (full name, email, Viber account, gender, etc.)
- Device details (make and model, serial number, IMEI, MAC address, SIM number, OS version, others)
- Telecom operator details
- GPS coordinates (not for all users)
- Individual call details and number searches
The data in the database were mostly of Saudi users which was found based on the country code associated with each entry. There were also data of Egyptian, Emirati, European, and even a few Israeli/Palestinian numbers even though in small numbers.
The data is sensitive and so an attacker can create fake profiles of the app’s users. Those users who let the app to access location data are also in danger as they can be tracked easily.
By using the GPS coordinates a hacker can track users’ location in real time. In order to do these the attacker has to just make a call to the targets phone number, check the exposed database for a new log entry, and then get the user’s GPS location at the time he made the particular call.
The Dalil MongoDB server is also simple to find online using readily available tools. Now the database is exposing around 585.7GB of data. According to the researchers, new records are being added daily, which means that it is the app’s production server and not an abandoned test system or redundancy backup.
According to Dalil’s Play Store page, the app was downloaded by more than five million users. But the database does not contain any information of its former users.
The researcher claimed that the threat actor had also accessed the database, encrypted some of the data, and left a ransom note behind. But the Dalil’s IT team has not identified the breach and continued to save new user data and app logs on the compromised database.
It is estimated that around 208,000 new phone numbers and 44 million app events like registrations, logins, and incoming and outgoing calls were registered in the last month.
The researchers have contacted the Dalil’s team on February 26, when the exposed database was noticed. However, the database remains still open.