Hi Henry, I don't see a timeline. What was the vendor's response?
Jeff On Fri, Jan 20, 2012 at 11:29 AM, Henry Paduwa <henry.pad...@yahoo.fr> wrote: > Hi, > > I discovered that Vopium (http://vopium.com/), a popular VoIP app for Android > and iPhone, is simply leaking in *clear text* : > > - your login > - your IMEI (unique ID of your phone) > - your password (not even hashed !) > - your geolocation > - and all your contacts ! > > Just use wireshark on your network and put http as filter. > > See capture extract below : > FIND_YOUR_USERNAME_HERE -> it will be your phone number > > Here the longitude, latitude, login and IMEI: > > GET > /ge/index.php?ll=60.2345,9.1232&username=FIND_YOUR_USERNAME_HERE&imei=FIND_IMEI_HERE > HTTP/1.1 > Host: vopium.com > User-Agent: Vopium3G/3.3 CFNetwork/548.0.4 Darwin/11.0.0 > Accept: */* > Accept-Language: en-us > Accept-Encoding: gzip, deflate > Cookie: __vc_lng=en > [...] > > > Here the login and password : > > POST /packagedetails.php?n=FIND_YOUR_USERNAME_HERE&p=FIND_YOUR_PASSWORD_HERE > HTTP/1.1 > Host: vopium.com > User-Agent: Vopium3G/3.3 CFNetwork/548.0.4 Darwin/11.0.0 > Content-Length: 0 > Accept: */* > Accept-Language: en-us > Accept-Encoding: gzip, deflate > [...] > > And another one : > GET > /j/checkbalance.htm?username=FIND_YOUR_USERNAME_HERE&password=FIND_YOUR_PASSWORD_HERE&amountonly=y > HTTP/1.1 > Host: vopium.com > User-Agent: Vopium3G/3.3 CFNetwork/548.0.4 Darwin/11.0.0 > Accept: */* > Accept-Language: en-us > Accept-Encoding: gzip, deflate > [...] > > And all your contacts : > > POST /oauthserver/synchservice HTTP/1.1 > [...] > username=FIND_YOUR_USERNAME_HERE&password=FIND_YOUR_PASSWORD_HERE&type=set&usercontacts=FIND_ALL_YOUR_CONTACTS_DATA > _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
