Insecure Ride App Database Leaks Data of 300K Iranian Drivers

2019-04-19T16:37:30
ID THREATPOST:8188906D5D7F97E15F6AB8F0FD808E4C
Type threatpost
Reporter Lindsey O'Donnell
Modified 2019-04-19T16:37:30

Description

A researcher has discovered that over a quarter-million drivers of the Iranian ride hailing app Tap30 have had their data left publicly exposed in an insecure database.

Tap30 is an online taxi application, similar to Uber, that connects users to drivers through the mobile app and the corporate panel. The app has more than a million installs on Google Play.

Researcher Bob Diachenko said that on Thursday, he found a database owned by Tap30 left open for three days, leaking an estimated 1 to 2 million unique records. That contained the information of around 300,000 drivers, Diachenko told Threatpost.

That data, which is estimated to originate from 2017 to 2018, includes drivers’ first and last names, phone numbers, and Iranian ID numbers (stored in plain text), according to Diachenko: “The fact alone that such highly sensitive PII (personally identifiable information) was available in the wild for at least 3 days, is scary,” he said in a report of the leaky database posted Thursday.

Diachenko told Threatpost that the database has been secured, and that there is no evidence that the data was abused. Furthermore, he said that the database was an “isolated incident” and only drivers’ records were exposed (as opposed to passengers’ data).

He first came across the database using a BinaryEdge search engine during a regularly-scheduled audit of nonSql databases.

The database was called ‘doroshke-invoice-production’ (“doroshke” means carriage in Persian) and had two collections of invoices containing driver first and last name, 10-digit Iranian ID number in plain text, phone numbers and invoice dates.

> [UPDATE ON IRANIAN DATABASE INCIDENT] @TAP30_ir @nima @kh_ashkan pic.twitter.com/vk0jqAno1T > > — Bob Diachenko (@MayhemDayOne) April 19, 2019

While Diachenko originally estimated the database had 6.7 unique million records, after recording duplicates in the dataset he updated that estimate to 1 to 2 million.

Tap30, meanwhile, has secured the database. In a series of tweets, Tap30 said that they are confident there was no access to information about passengers and trips. The company did not immediately respond to a request for comment from Threatpost.

Mistakenly exposed databases – which generally are not necessarily malicious – continue to plague companies.

In April, hundreds of millions of Facebook records, including account names, personal data, and more, were found in two separate publicly-exposed app datasets. And in January, an improperly secured database owned by California voice-over-internet provider, VOIPO, left millions of customer call logs, SMS message logs and credentials in plain text open for months for the taking.

Diachenko said that the danger of having an exposed MongoDB or similar NoSql database “is huge.”

“I have previously reported that the lack of authentication allowed the installation of malware or ransomware on the MongoDB servers,” he said. “The public configuration allows the possibility of cybercriminals to manage the whole system with full administrative privileges. Once the malware is in place criminals could remotely access the server resources and even launch a code execution to steal or completely destroy any saved data the server contains.”

Don’t miss our free Threatpost webinar, “Data Security in the Cloud,” on April 24 at 2 p.m. ET.

A panel of experts will join Threatpost senior editor Tara Seals to discuss how to lock down data when the traditional network perimeter is no longer in place. They will discuss how the adoption of cloud services presents new security challenges, including ideas and best practices for locking down this new architecture; whether managed or in-house security is the way to go; and ancillary dimensions, like SD-WAN and IaaS.