[BreachExchange] South African IT firm Conor behind the leak of 1 million web browsing records

Destry Winant destry at riskbasedsecurity.com
Wed Dec 18 09:59:39 EST 2019


A database containing highly sensitive and private information and
activity, including porn browsing history, has been exposed, with
users in South Africa mostly affected.

The database, according to vpnMentor's research team, belonged to
South African IT company Conor.

As the researchers detailed, daily logs of user activity by customers
of ISPs using web filtering software built by Conor exposed all
internet traffic and activity of these users, along with their
personally identifying information.

The software was a web filter developed for ISP clients to restrict
access to certain websites and types of online content.

vpnMentor said its web scanner picked up the database on November 12.
It was reportedly unsecured and unencrypted.

According to vpnMentor, over 890GB of data and over 1 million records
were exposed.

vpnMentor said its team was able to view a user's activity on porn
websites. It also said with usernames also exposed, locating a
specific person on various social media platforms was easy.

"We viewed constantly updating user activity logs for the last two
months from customers of numerous ISPs based in African and South
American countries," the report details.

"We found entries from users viewing porn for example, as well as
their social media accounts."

In addition to websites visited by users, vpnMentor's researchers were
able to view the index names, which exposed daily activity; MSISDN, a
global mobile communications subscription number; IP addresses; the
duration of connection or visit to a website; the volume of data
transferred per session; the full website URL; and if a website had
been blocked by the filter or not.

The database also exposed how Conor's web filter worked and its rules
for blocking content, with vpnMentor highlighting how this knowledge
could be used to bypass the filter, making it ineffective and

According to the company's website, it has a presence in Chad, the
Democratic Republic of the Congo, Gabon, Ghana, Kenya, Lesotho,
Malawai, Namibia, South Africa, and Tanzania. In South America, its
footprint extends to Bolivia, Colombia, and Venezuela.

vpnMentor said its team viewed data entries from numerous mobile ISPs,
such as Tshimedzwa Cellular and Flickswitch in South Africa, and MTN
in Kenya. There were also entries from South American countries, such
as Bolivia, it said.

More information about the BreachExchange mailing list