How Not Setting up a Password Led to the Exposure of 5 Million Dalil Users
Here's an interesting conundrum: you find out that a mobile application developer has misconfigured a database and is exposing the data of millions upon millions of people to the world wide web. You try to contact the vendor and tell them to secure the database, but they don't respond. What do you do?
Security researchers Ran Locar and Noam Rotem were faced with the same dilemma recently. In the end, they decided to publicly announce what they had found, and to understand their motives, we must first learn what happened exactly.
The data of more than 5 million Middle Easterners exposed
Ran Locar was the person that first stumbled upon a MongoDB installation that was facing the internet but was not protected by a password. With the help of Noam Rotem, he figured out that the database belonged to Dalil – an Android caller ID application primarily aimed at the Middle Eastern market. The idea behind Dalil is that even if someone outside your contacts is calling you, you'll know who they are and you'll be able to reject any potentially unwanted calls.
For reasons that are not particularly clear, Dalil is collecting an enormous amount of information on its users. According to the Twitter thread with which Ran Locar broke the news, during registration, Dalil users are asked for things like their full name, address, email, and profession. At the same time, the app's Google Play page shows that upon installation, Dalil requests access to the user's contacts, location, text messages, call logs, and device information. This, more or less, is what Locar and Rotem saw in the open database.
A production server without a password
The researchers needed to find out what sort of server they were looking at. They were hoping that it would end up being a test bed full of old or irrelevant information. Unfortunately, it wasn't to be.
When Locar and Rotem located the database at the end of February, it contained close to 586 GB of data, but they quickly noticed that more information is being fed into it. The researchers told ZDNet that in a matter of about a month, the database had grown by about 208 thousand unique new phone numbers, and approximately 44 million app events (incoming and outgoing calls, registrations, etc.).
In other words, they were looking at a production server exposing the data of millions of real people from Saudi Arabia, Egypt, the UAE, and other countries. This was bad news, but worse was yet to come.
Cybercriminals have already accessed the database
After a bit more rummaging around, Locar and Rotem found a ransom note. Someone had already located the database, encrypted some of the data, and demanded a ransom to release it. Apparently, however, Dalil's developers, a company called Tech-World, either failed to notice the breach or ignored it and continued dumping more and more sensitive information into the exposed database.
Failing to notice and/or ignoring communication seems to be something Dalil's developers do more often than they should. After Locar and Rotem saw how serious the situation is, they immediately tried to get in touch with the software company, but unfortunately, it was to no avail. The attempts to communicate with the developers went unanswered, and on March 4, the two researchers brought the information to the public.
This was the right decision. Indeed, you could argue that telling the whole world about an open database with close to 600GB of sensitive data is bound to draw the attention of the bad guys, and you're right. The thing is, the crooks have already been inside, and they've already managed to wreak some havoc. Finding the database doesn't require any special tools or a particularly high level of technical skills, and the developer is clearly showing an inexplicably relaxed attitude towards the whole thing which means that it's up to the users to protect themselves. Let's hope they are made aware of the dangers before it's too late.