[BreachExchange] Insecure Ride App Database Leaks Data of 300K Iranian Drivers

Mon Apr 22 10:16:02 EDT 2019

https://threatpost.com/insecure-ride-app-database-leaks-data-of-300k-iranian-drivers/143955/

A researcher said that millions of records were leaking 300,000 Tap30
drivers’ names, ID numbers and phone numbers.

A researcher has discovered that over a quarter-million drivers of the
Iranian ride hailing app Tap30 have had their data left publicly
exposed in an insecure database.

Tap30 is an online taxi application, similar to Uber, that connects
users to drivers through the mobile app and the corporate panel. The
app has more than a million installs on Google Play.

Researcher Bob Diachenko said that on Thursday, he found a database
owned by Tap30 left open for three days, leaking an estimated 1 to 2
million unique records. That contained the information of around
300,000 drivers, Diachenko told Threatpost.

That data, which is estimated to originate from 2017 to 2018, includes
drivers’ first and last names, phone numbers, and Iranian ID numbers
(stored in plain text), according to Diachenko: “The fact alone that
such highly sensitive PII (personally identifiable information) was
available in the wild for at least 3 days, is scary,” he said in a
report of the leaky database posted Thursday.

Diachenko told Threatpost that the database has been secured, and that
there is no evidence that the data was abused. Furthermore, he said
that the database was an “isolated incident” and only drivers’ records
were exposed (as opposed to passengers’ data).

He first came across the database using a BinaryEdge search engine
during a regularly-scheduled audit of nonSql databases.

The database was called ‘doroshke-invoice-production’ (“doroshke”
means carriage in Persian) and had two collections of invoices
containing driver first and last name, 10-digit Iranian ID number in
plain text, phone numbers and invoice dates.

While Diachenko originally estimated the database had 6.7 unique
million records, after recording duplicates in the dataset he updated
that estimate to 1 to 2 million.

Tap30, meanwhile, has secured the database. In a series of tweets,
Tap30 said that they are confident there was no access to information
about passengers and trips. The company did not immediately respond to
a request for comment from Threatpost.

Mistakenly exposed databases – which generally are not necessarily
malicious – continue to plague companies.

In April, hundreds of millions of Facebook records, including account
names, personal data, and more, were found in two separate
publicly-exposed app datasets. And in January, an improperly secured
database owned by California voice-over-internet provider, VOIPO, left
millions of customer call logs, SMS message logs and credentials in
plain text open for months for the taking.

Diachenko said that the danger of having an exposed MongoDB or similar
NoSql database “is huge.”

“I have previously reported that the lack of authentication allowed
the installation of malware or ransomware on the MongoDB servers,” he
said. “The public configuration allows the possibility of
cybercriminals to manage the whole system with full administrative
privileges. Once the malware is in place criminals could remotely
access the server resources and even launch a code execution to steal
or completely destroy any saved data the server contains.”