Data breaches, whether intentional or caused by a bug, is something that should be taken really seriously. But it looks like a caller ID app with users in Saudi and other Arabian locations, has not been able to stop one that has exposed the personal data of its more than 5 minion users. Security researchers who discovered the problem have contacted them already but it looks like they still have not been able to fix the problem and have continued to add data to it (hopefully just unknowingly).
Security researchers found the data on a MongoDB database that has no password protecting it. This means that the entire database of the app can be accessed if you know where to look and if you had the right tools. The information exposed includes cell phone numbers, app registration data (including names, email, Viber account), device details, telecom operator details, and even worse, even possibly GPS coordinates.
If the user gave the app access to their location data, those who are able to breach the MongoDB database can track their real time location by placing a call on the user’s number, look for the new log entry in the database and then extract the GPS location. We don’t need to expound on how dangerous this could be.
The researcher contacted the app developer about it but as of this writing, there is still data being uploaded on the unprotected database. In the last month alone, 208,000 new unique numbers and 44 million app events have appeared there, mostly for Saudi users. There are also data from Egyptian, Emirati, European, and a few Israeli/Palestinian users.
The MongoDB server of the Dalil app is pretty easy to find if you know how and extracting data is also pretty easy so this is something that the app developer should resolve as soon as they can.
VIA: ZDNet