Iβm talking about personal data leaks again, but this time Iβll tell you a little about the afterlife of IT projects using the example of two recent finds.
In the process of database security auditing, it often happens that you discover servers (
ΠΠΈΡΠΊΠ»Π΅ΠΉΠΌΠ΅Ρ: Π²ΡΡ ΠΈΠ½ΡΠΎΡΠΌΠ°ΡΠΈΡ Π½ΠΈΠΆΠ΅ ΠΏΡΠ±Π»ΠΈΠΊΡΠ΅ΡΡΡ ΠΈΡΠΊΠ»ΡΡΠΈΡΠ΅Π»ΡΠ½ΠΎ Π² ΠΎΠ±ΡΠ°Π·ΠΎΠ²Π°ΡΠ΅Π»ΡΠ½ΡΡ
ΡΠ΅Π»ΡΡ
. ΠΠ²ΡΠΎΡ Π½Π΅ ΠΏΠΎΠ»ΡΡΠ°Π» Π΄ΠΎΡΡΡΠΏΠ° ΠΊ ΠΏΠ΅ΡΡΠΎΠ½Π°Π»ΡΠ½ΡΠΌ Π΄Π°Π½Π½ΡΠΌ ΡΡΠ΅ΡΡΠΈΡ
Π»ΠΈΡ ΠΈ ΠΊΠΎΠΌΠΏΠ°Π½ΠΈΠΉ. ΠΠ½ΡΠΎΡΠΌΠ°ΡΠΈΡ Π²Π·ΡΡΠ° Π»ΠΈΠ±ΠΎ ΠΈΠ· ΠΎΡΠΊΡΡΡΡΡ
ΠΈΡΡΠΎΡΠ½ΠΈΠΊΠΎΠ², Π»ΠΈΠ±ΠΎ Π±ΡΠ»Π° ΠΏΡΠ΅Π΄ΠΎΡΡΠ°Π²Π»Π΅Π½Π° Π°Π²ΡΠΎΡΡ Π°Π½ΠΎΠ½ΠΈΠΌΠ½ΡΠΌΠΈ Π΄ΠΎΠ±ΡΠΎΠΆΠ΅Π»Π°ΡΠ΅Π»ΡΠΌΠΈ.
Let's start with the project with the loud name "Putin's Team" (putinteam.ru).
A server with open MongoDB was discovered on 19.04.2019/XNUMX/XNUMX.
As you can see, the βextortionistβ was the first to reach this base:
The database does not contain particularly valuable personal data, but there are email addresses (less than 1000), first / last names, hashed passwords, GPS coordinates (apparently when registering from smartphones), cities of residence and photos of site users who created their personal account on it.
{
"_id" : ObjectId("5c99c5d08000ec500c21d7e1"),
"role" : "USER",
"avatar" : "https://fs.putinteam.ru/******sLnzZokZK75V45-1553581654386.jpeg",
"firstName" : "ΠΠ°Π΄ΠΈΠΌ",
"lastName" : "",
"city" : "Π‘Π°Π½ΠΊΡ-ΠΠ΅ΡΠ΅ΡΠ±ΡΡΠ³",
"about" : "",
"mapMessage" : "",
"isMapMessageVerify" : "0",
"pushIds" : [
],
"username" : "5c99c5d08000ec500c21d7e1",
"__v" : NumberInt(0),
"coordinates" : {
"lng" : 30.315868,
"lat" : 59.939095
}
}
{
"_id" : ObjectId("5cb64b361f82ec4fdc7b7e9f"),
"type" : "BASE",
"email" : "***@yandex.ru",
"password" : "c62e11464d1f5fbd54485f120ef1bd2206c2e426",
"user" : ObjectId("5cb64b361f82ec4fdc7b7e9e"),
"__v" : NumberInt(0)
}
Lots of garbage information and blank records. For example, the newsletter subscription code does not check that an email address is entered, so instead of an address, you can write anything you like.
Judging by the copyright on the site, the project was abandoned in 2018. All attempts to contact project representatives were unsuccessful. However, there are rare registrations on the site - there is an imitation of life.
The second zombie project in my analysis today is the Latvian startup Roamer (roamerapp.com/ru).
On April 21.04.2019, XNUMX, an open MongoDB database of the Roamer mobile application was discovered on a server in Germany.
The database, 207 MB in size, has been in the public domain since 24.11.2018/XNUMX/XNUMX (according to Shodan)!
By all external signs (a non-working technical support email address, broken links to the Google Play store, copyright on the site in 2016, etc.) - the application has long been abandoned.
At one time, almost all thematic media wrote about this startup:
- VC: "Latvian startup Roamer is a roaming killerΒ»
- the-village: "Roamer: An application that reduces the cost of calls from abroadΒ»
- lifehacker: "How to cut communication costs in roaming by 10 times: RoamerΒ»
The "killer" seems to have killed himself, but even dead he continues to disclose the personal data of his users...
Judging by the analysis of the information in the database, many users continue to use this mobile application. Within a few hours of observation, 94 new entries appeared. And for the period from 27.03.2019/10.04.2019/66 to XNUMX/XNUMX/XNUMX, XNUMX new users registered in the application.
There are open access logs (more than 100 thousand records) of the application with such information as:
- user phone
- access tokens to call history (available via links like: api3.roamerapp.com/call/history/1553XXXXXX)
- call history (numbers, incoming or outgoing call, call cost, duration, call time)
- user's mobile operator
- User IP addresses
- user's phone model and version of mobile OS on it (for example, iPhone 7 12.1.4)
- user email address
- user account balance and currency
- user country
- user's current location (country)
- promotional codes
- and much more.
{
"_id" : ObjectId("5c9a49b2a1f7da01398b4569"),
"url" : "api3.roamerapp.com/call/history/*******5049",
"ip" : "67.80.1.6",
"method" : NumberLong(1),
"response" : {
"calls" : [
{
"start_time" : NumberLong(1553615276),
"number" : "7495*******",
"accepted" : false,
"incoming" : false,
"internet" : true,
"duration" : NumberLong(0),
"cost" : 0.0,
"call_id" : NumberLong(18869601)
},
{
"start_time" : NumberLong(1553615172),
"number" : "7499*******",
"accepted" : true,
"incoming" : false,
"internet" : true,
"duration" : NumberLong(63),
"cost" : 0.03,
"call_id" : NumberLong(18869600)
},
{
"start_time" : NumberLong(1553615050),
"number" : "7985*******",
"accepted" : false,
"incoming" : false,
"internet" : true,
"duration" : NumberLong(0),
"cost" : 0.0,
"call_id" : NumberLong(18869599)
}
]
},
"response_code" : NumberLong(200),
"post" : [
],
"headers" : {
"Host" : "api3.roamerapp.com",
"X-App-Id" : "a9ee0beb8a2f6e6ef3ab77501e54fb7e",
"Accept" : "application/json",
"X-Sim-Operator" : "311480",
"X-Wsse" : "UsernameToken Username="/******S19a2RzV9cqY7b/RXPA=", PasswordDigest="******NTA4MDhkYzQ5YTVlZWI5NWJkODc5NjQyMzU2MjRjZmIzOWNjYzY3MzViMTY1ODY4NDBjMWRkYjdiZTQxOGI4ZDcwNWJmOThlMTA1N2ExZjI=", Nonce="******c1MzE1NTM2MTUyODIuNDk2NDEz", Created="Tue, 26 Mar 2019 15:48:01 GMT"",
"Accept-Encoding" : "gzip, deflate",
"Accept-Language" : "en-us",
"Content-Type" : "application/json",
"X-Request-Id" : "FB103646-1B56-4030-BF3A-82A40E0828CC",
"User-Agent" : "Roamer;iOS;511;en;iPhone 7;12.1.4",
"Connection" : "keep-alive",
"X-App-Build" : "511",
"X-Lang" : "EN",
"X-Connection" : "WiFi"
},
"created_at" : ISODate("2019-03-26T15:48:02.583+0000"),
"user_id" : "888689"
}
Of course, it was not possible to contact the owners of the base. Contacts on the site do not work, messages in the social. networks no one responds.
The app is still available on the Apple App Store (itunes.apple.com/app/roamer-roaming-killer/id646368973).
News about information leaks and insiders can always be found on my Telegram channel "
Source: habr.com