MongoDB database still publicly accessible
A security oversight from the developers of a popular caller ID app in Saudi Arabia has exposed the personal information of over five million users, according to researchers at vpnMentor.
The app, Dalil, is one of the most popular communication tools in Saudi Arabia and is used predominately to search and find mobile numbers and act as protection against scammers.
Information from the app is said to have been made public through a misconfigured MongoDB database, vpnMentor said. Compromised data includes users’ mobile number, IP address, SIM card number, and GPS location – all of which is collected by default.
Users’ profiles – containing a name, gender, email address, and profession – were also found to be publicly accessible.
“This data currently appears on a completely open database,” VPNMentor said a blog post published today.
“Our team found it: this means anyone else who wants to look for it could, too. And while our hackers are not malicious, we cannot guarantee others’ motivations.”
VPNMentor said that Dalil is one of the most popular communications apps used in Saudi Arabia and throughout Middle Eastern countries like Egypt.
The research team contacted the app’s developers to inform them of the unprotected database on February, 26 but had yet to receive a response prior to the stated publication of the findings – despite repeated attempts.
“After we reported the issue to Dalil (and before the report went live on our site), we noticed a ransomware encrypted some data on the server, but new data kept being logged unencrypted,” Ariel Hochstadt, vpnMentor co-founder, told The Daily Swig.
“This shows that at least one actor was accessing their data, and we should all push them to act and protect their users.”
Hochstadt added that Dalil had appeared to allow external access to the database by not setting a password.
The Daily Swig has reached out to Dalil for comment.