Dalil, an Android app that provides caller ID services similar to Truecaller but for Saudi and other Arabian users, has been leaking user data for a week because of a MongoDB database that has been left accessible online without a password.
Discovered by security researchers Ran Locar and Noam Rotem, the database contains what appears to be the app's entire data, from user personal details to activity logs.
Details included in a sample reviewed by ZDNet revealed the database contained information such as:
User cell phone numbers
App registration data (full name, email, Viber account, gender, etc.)
Device details (make and model, serial number, IMEI, MAC address, SIM number, OS version, others)
Telecom operator details
GPS coordinates (not for all users)
Individual call details and number searches
Most of the data included in the database belongs to Saudi users --based on the country code associated with each entry. Data for Egyptian, Emirati, European, and even a few Israeli/Palestinian numbers was also included, but to a smaller degree.
The breadth and the sensitive nature of the user data can allow a threat actor to create accurate profiles on the app's users. Users who allowed the app to access location data are also in danger of being tracked.
The GPS coordinates --where available-- would allow a threat actor to track users' location in real time. All a threat actor needs to do is to place a call to the user's phone number, watch the exposed database for a new log entry, and extract the user's GPS location at that particular time.
The Dalil MongoDB server is also trivially simple to find online using readily available tools. ZDNet was able to independently locate the database based on a simple hint we received from Locar.
At the time of writing, the database is still exposing roughly 585.7GB of information. Locar says that new records are being added daily, meaning this is the app's production server, rather than an abandoned test system or redundancy backup.
According to Dalil's Play Store page, the app has been downloaded by more than five million users. However, the database does not hold the information of absolutely all former users.
Locar says that at one point a threat actor also accessed the database, encrypted some of the data, and left a ransom note behind, but Dalil's IT team didn't even notice the breach and continued to save new user data and app logs on top of the obviously compromised database.
The researcher told ZDNet that roughly 208,000 new unique phone numbers and 44 million app events --registrations, logins, and incoming and outgoing calls-- have been registered in the last month alone, and data is still piling on.
Locar told us that he contacted Dalil's team on February 26, when he first noticed the exposed database. At the time of writing, the database remains wide open, despite several attempts to contact the vendor. Dalil's team also didn't return requests for comment from ZDNet.