lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [thread-next>] [day] [month] [year] [list] 
Date: Fri, 20 Jan 2012 16:29:36 +0000 (GMT)
From: Henry Paduwa <henry.paduwa@...oo.fr>
To: "full-disclosure@...ts.grok.org.uk" <full-disclosure@...ts.grok.org.uk>
Subject: Vopium VoIP app is leaking login, password, IMEI,
	geolocation, and all your contacts in clear text

Hi,

I discovered that Vopium (http://vopium.com/), a popular VoIP app for Android and iPhone, is simply leaking in *clear text* :

- your login
- your IMEI (unique ID of your phone)
- your password (not even hashed !)
- your geolocation 
- and all your contacts !

Just use wireshark on your network and put http as filter.

See capture extract below :
FIND_YOUR_USERNAME_HERE -> it will be your phone number

Here the longitude, latitude, login and IMEI:

GET /ge/index.php?ll=60.2345,9.1232&username=FIND_YOUR_USERNAME_HERE&imei=FIND_IMEI_HERE HTTP/1.1
Host: vopium.com
User-Agent: Vopium3G/3.3 CFNetwork/548.0.4 Darwin/11.0.0
Accept: */*
Accept-Language: en-us
Accept-Encoding: gzip, deflate
Cookie: __vc_lng=en
[...]


Here the login and password :

POST /packagedetails.php?n=FIND_YOUR_USERNAME_HERE&p=FIND_YOUR_PASSWORD_HERE HTTP/1.1
Host: vopium.com
User-Agent: Vopium3G/3.3 CFNetwork/548.0.4 Darwin/11.0.0
Content-Length: 0
Accept: */*
Accept-Language: en-us
Accept-Encoding: gzip, deflate
[...]

And another one :
GET /j/checkbalance.htm?username=FIND_YOUR_USERNAME_HERE&password=FIND_YOUR_PASSWORD_HERE&amountonly=y HTTP/1.1
Host: vopium.com
User-Agent: Vopium3G/3.3 CFNetwork/548.0.4 Darwin/11.0.0
Accept: */*
Accept-Language: en-us
Accept-Encoding: gzip, deflate
[...]

And all your contacts : 

POST /oauthserver/synchservice HTTP/1.1
[...]
username=FIND_YOUR_USERNAME_HERE&password=FIND_YOUR_PASSWORD_HERE&type=set&usercontacts=FIND_ALL_YOUR_CONTACTS_DATA


_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ