I’m talking about personal data leaks again, but this time I’ll tell you a little about the afterlife of IT projects using the example of two recent finds.
In the process of database security auditing, it often happens that you discover servers (, I wrote in the blog), belonging to projects that have long (or not so long ago) left our world. Such projects even continue to imitate life (work), resembling zombies (collecting users' personal data after their death).
Дисклеймер: вся информация ниже публикуется исключительно в образовательных целях. Автор не получал доступа к персональным данным третьих лиц и компаний. Информация взята либо из открытых источников, либо была предоставлена автору анонимными доброжелателями.Let's start with the project with the loud name "Putin's Team" (putinteam.ru).
A server with open MongoDB was discovered on 19.04.2019/XNUMX/XNUMX.
As you can see, the “extortionist” was the first to reach this base:
The database does not contain particularly valuable personal data, but there are email addresses (less than 1000), first / last names, hashed passwords, GPS coordinates (apparently when registering from smartphones), cities of residence and photos of site users who created their personal account on it.
{
"_id" : ObjectId("5c99c5d08000ec500c21d7e1"),
"role" : "USER",
"avatar" : "https://fs.putinteam.ru/******sLnzZokZK75V45-1553581654386.jpeg",
"firstName" : "Вадим",
"lastName" : "",
"city" : "Санкт-Петербург",
"about" : "",
"mapMessage" : "",
"isMapMessageVerify" : "0",
"pushIds" : [
],
"username" : "5c99c5d08000ec500c21d7e1",
"__v" : NumberInt(0),
"coordinates" : {
"lng" : 30.315868,
"lat" : 59.939095
}
}
{
"_id" : ObjectId("5cb64b361f82ec4fdc7b7e9f"),
"type" : "BASE",
"email" : "***@yandex.ru",
"password" : "c62e11464d1f5fbd54485f120ef1bd2206c2e426",
"user" : ObjectId("5cb64b361f82ec4fdc7b7e9e"),
"__v" : NumberInt(0)
}Lots of garbage information and blank records. For example, the newsletter subscription code does not check that an email address is entered, so instead of an address, you can write anything you like.
Judging by the copyright on the site, the project was abandoned in 2018. All attempts to contact project representatives were unsuccessful. However, there are rare registrations on the site - there is an imitation of life.
The second zombie project in my analysis today is the Latvian startup Roamer (roamerapp.com/ru).
On April 21.04.2019, XNUMX, an open MongoDB database of the Roamer mobile application was discovered on a server in Germany.
The database, 207 MB in size, has been in the public domain since 24.11.2018/XNUMX/XNUMX (according to Shodan)!
By all external signs (a non-working technical support email address, broken links to the Google Play store, copyright on the site in 2016, etc.) - the application has long been abandoned.
At one time, almost all thematic media wrote about this startup:
- VC: "Latvian startup Roamer is a roaming killer»
- the-village: "Roamer: An application that reduces the cost of calls from abroad»
- lifehacker: "How to cut communication costs in roaming by 10 times: Roamer»
The "killer" seems to have killed himself, but even dead he continues to disclose the personal data of his users...
Judging by the analysis of the information in the database, many users continue to use this mobile application. Within a few hours of observation, 94 new entries appeared. And for the period from 27.03.2019/10.04.2019/66 to XNUMX/XNUMX/XNUMX, XNUMX new users registered in the application.
There are open access logs (more than 100 thousand records) of the application with such information as:
- user phone
- access tokens to call history (available via links like: api3.roamerapp.com/call/history/1553XXXXXX)
- call history (numbers, incoming or outgoing call, call cost, duration, call time)
- user's mobile operator
- User IP addresses
- user's phone model and version of mobile OS on it (for example, iPhone 7 12.1.4)
- user email address
- user account balance and currency
- user country
- user's current location (country)
- promotional codes
- and much more.
{
"_id" : ObjectId("5c9a49b2a1f7da01398b4569"),
"url" : "api3.roamerapp.com/call/history/*******5049",
"ip" : "67.80.1.6",
"method" : NumberLong(1),
"response" : {
"calls" : [
{
"start_time" : NumberLong(1553615276),
"number" : "7495*******",
"accepted" : false,
"incoming" : false,
"internet" : true,
"duration" : NumberLong(0),
"cost" : 0.0,
"call_id" : NumberLong(18869601)
},
{
"start_time" : NumberLong(1553615172),
"number" : "7499*******",
"accepted" : true,
"incoming" : false,
"internet" : true,
"duration" : NumberLong(63),
"cost" : 0.03,
"call_id" : NumberLong(18869600)
},
{
"start_time" : NumberLong(1553615050),
"number" : "7985*******",
"accepted" : false,
"incoming" : false,
"internet" : true,
"duration" : NumberLong(0),
"cost" : 0.0,
"call_id" : NumberLong(18869599)
}
]
},
"response_code" : NumberLong(200),
"post" : [
],
"headers" : {
"Host" : "api3.roamerapp.com",
"X-App-Id" : "a9ee0beb8a2f6e6ef3ab77501e54fb7e",
"Accept" : "application/json",
"X-Sim-Operator" : "311480",
"X-Wsse" : "UsernameToken Username="/******S19a2RzV9cqY7b/RXPA=", PasswordDigest="******NTA4MDhkYzQ5YTVlZWI5NWJkODc5NjQyMzU2MjRjZmIzOWNjYzY3MzViMTY1ODY4NDBjMWRkYjdiZTQxOGI4ZDcwNWJmOThlMTA1N2ExZjI=", Nonce="******c1MzE1NTM2MTUyODIuNDk2NDEz", Created="Tue, 26 Mar 2019 15:48:01 GMT"",
"Accept-Encoding" : "gzip, deflate",
"Accept-Language" : "en-us",
"Content-Type" : "application/json",
"X-Request-Id" : "FB103646-1B56-4030-BF3A-82A40E0828CC",
"User-Agent" : "Roamer;iOS;511;en;iPhone 7;12.1.4",
"Connection" : "keep-alive",
"X-App-Build" : "511",
"X-Lang" : "EN",
"X-Connection" : "WiFi"
},
"created_at" : ISODate("2019-03-26T15:48:02.583+0000"),
"user_id" : "888689"
}Of course, it was not possible to contact the owners of the base. Contacts on the site do not work, messages in the social. networks no one responds.
The app is still available on the Apple App Store (itunes.apple.com/app/roamer-roaming-killer/id646368973).
News about information leaks and insiders can always be found on my Telegram channel "": .
Source: habr.com