Android apps from Zcall served up everything from delivery addresses to bank details

A data security oversight from a South Korean app developer appears to have caused more than 26 million documents to be leaked over the last month – some of which contained sensitive customer data stored in plaintext.

The issue was uncovered by Justin Paine, director of trust and safety at security firm Cloudflare, who says he discovered an Elasticsearch database with Kibana front-end that lacked any type of authentication at all.

The two Android apps concerned – Zcall Delivery Agent and Zcall Delivery Account Manager – are used to schedule and report package pickups and deliveries. They were developed by Zcall of South Korea and available on the Google Play Store.

The leaked information includes not only names, addresses, phone numbers, and delivery times, but also plaintext passwords for shop and staff logins, as well as what appears to be plaintext banking information.

While the leaked pickup and delivery address information is not particularly dangerous, the name and phone number information of the people making and receiving the delivery could potentially make them vulnerable to scam phone calls.

“The plaintext passwords were in combination with an ID value, but I did not see any information such as an email address or username associated with this ID value,” Paine told The Daily Swig.

“As such, the plaintext password on its own wouldn’t have been enough to allow a malicious user to log in as that user. This is good news.”

However, the rest of the leaked information raises more serious questions over the security of users’ data.

“The leaked bank account number, bank owner, name, address, and phone number information is potentially high severity,” said Paine. “The amount of leaked information could potentially be enough to socially engineer the bank to gain access to and/or modify someone’s bank account.”

Paine chose not to run a query to count the number of unique Zcall users, he says, as this can be a resource-intense activity and he didn’t want to negatively impact their production server.

However, each day, he says in a brief technical write-up, the apps were leaking an astonishing 3.4 million events.

Paine says that despite multiple emails, Zcall has not responded – and that a separate email to the company’s listed information protection officer bounced back. This is despite the fact that the apps were updated as recently as January 24, so it’s clear that they have not been abandoned.

There is, however, a statement on the website acknowledging the incident.

“We have been doing our best to protect your information safely, but recently we have been informed that the personal information of our members has been leaked from the Korea Internet Promotion Agency,” a translation reads.

“As soon as we received the notification, we blocked the outflow route to prevent further leakage. The outflow is estimated from January 13, 2019, and it is not a hacking accident caused by the intrusion of the network.”

As of January 30, one of the apps has been removed from the Google Play Store.

Meanwhile, says Paine, the exposed Elasticsearch database and Kibana front-end tool appear to have finally been taken down or have been firewalled off.