Re: [Full-disclosure] Vopium VoIP app is leaking login, password, IMEI, geolocation, and all your contacts in clear text
Hi Henry, I don't see a timeline. What was the vendor's response? Jeff On Fri, Jan 20, 2012 at 11:29 AM, Henry Paduwa henry.pad...@yahoo.fr wrote: Hi, I discovered that Vopium (http://vopium.com/), a popular VoIP app for Android and iPhone, is simply leaking in *clear text* : - your login - your IMEI (unique ID of your phone) - your password (not even hashed !) - your geolocation - and all your contacts ! Just use wireshark on your network and put http as filter. See capture extract below : FIND_YOUR_USERNAME_HERE - it will be your phone number Here the longitude, latitude, login and IMEI: GET /ge/index.php?ll=60.2345,9.1232username=FIND_YOUR_USERNAME_HEREimei=FIND_IMEI_HERE HTTP/1.1 Host: vopium.com User-Agent: Vopium3G/3.3 CFNetwork/548.0.4 Darwin/11.0.0 Accept: */* Accept-Language: en-us Accept-Encoding: gzip, deflate Cookie: __vc_lng=en [...] Here the login and password : POST /packagedetails.php?n=FIND_YOUR_USERNAME_HEREp=FIND_YOUR_PASSWORD_HERE HTTP/1.1 Host: vopium.com User-Agent: Vopium3G/3.3 CFNetwork/548.0.4 Darwin/11.0.0 Content-Length: 0 Accept: */* Accept-Language: en-us Accept-Encoding: gzip, deflate [...] And another one : GET /j/checkbalance.htm?username=FIND_YOUR_USERNAME_HEREpassword=FIND_YOUR_PASSWORD_HEREamountonly=y HTTP/1.1 Host: vopium.com User-Agent: Vopium3G/3.3 CFNetwork/548.0.4 Darwin/11.0.0 Accept: */* Accept-Language: en-us Accept-Encoding: gzip, deflate [...] And all your contacts : POST /oauthserver/synchservice HTTP/1.1 [...] username=FIND_YOUR_USERNAME_HEREpassword=FIND_YOUR_PASSWORD_HEREtype=setusercontacts=FIND_ALL_YOUR_CONTACTS_DATA ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] Vopium VoIP app is leaking login, password, IMEI, geolocation, and all your contacts in clear text
Hi, I discovered that Vopium (http://vopium.com/), a popular VoIP app for Android and iPhone, is simply leaking in *clear text* : - your login - your IMEI (unique ID of your phone) - your password (not even hashed !) - your geolocation - and all your contacts ! Just use wireshark on your network and put http as filter. See capture extract below : FIND_YOUR_USERNAME_HERE - it will be your phone number Here the longitude, latitude, login and IMEI: GET /ge/index.php?ll=60.2345,9.1232username=FIND_YOUR_USERNAME_HEREimei=FIND_IMEI_HERE HTTP/1.1 Host: vopium.com User-Agent: Vopium3G/3.3 CFNetwork/548.0.4 Darwin/11.0.0 Accept: */* Accept-Language: en-us Accept-Encoding: gzip, deflate Cookie: __vc_lng=en [...] Here the login and password : POST /packagedetails.php?n=FIND_YOUR_USERNAME_HEREp=FIND_YOUR_PASSWORD_HERE HTTP/1.1 Host: vopium.com User-Agent: Vopium3G/3.3 CFNetwork/548.0.4 Darwin/11.0.0 Content-Length: 0 Accept: */* Accept-Language: en-us Accept-Encoding: gzip, deflate [...] And another one : GET /j/checkbalance.htm?username=FIND_YOUR_USERNAME_HEREpassword=FIND_YOUR_PASSWORD_HEREamountonly=y HTTP/1.1 Host: vopium.com User-Agent: Vopium3G/3.3 CFNetwork/548.0.4 Darwin/11.0.0 Accept: */* Accept-Language: en-us Accept-Encoding: gzip, deflate [...] And all your contacts : POST /oauthserver/synchservice HTTP/1.1 [...] username=FIND_YOUR_USERNAME_HEREpassword=FIND_YOUR_PASSWORD_HEREtype=setusercontacts=FIND_ALL_YOUR_CONTACTS_DATA ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/