Twenty Year Anniversary

Vopium Clear Text Disclosure

Vopium Clear Text Disclosure
Posted Jan 21, 2012
Authored by Henry Paduwa

Vopium for Android and iPhone leaks various data such as your password by passing it in the clear.

tags | advisory, info disclosure
systems | apple, iphone
MD5 | 624744baa5cdb47240b0bfc201bee2b9

Vopium Clear Text Disclosure

Change Mirror Download
Hi,


I discovered that Vopium (http://vopium.com/), a popular VoIP app for Android and iPhone, is simply leaking in *clear text* :

- your login
- your IMEI (unique ID of your phone)
- your password (not even hashed !)
- your geolocation
- and all your contacts !

Just use wireshark on your network and put http as filter.

See capture extract below :
FIND_YOUR_USERNAME_HERE -> it will be your phone number

Here the longitude, latitude, login and IMEI:

GET /ge/index.php?ll=60.2345,9.1232&username=FIND_YOUR_USERNAME_HERE&imei=FIND_IMEI_HERE HTTP/1.1
Host: vopium.com
User-Agent: Vopium3G/3.3 CFNetwork/548.0.4 Darwin/11.0.0
Accept: */*
Accept-Language: en-us
Accept-Encoding: gzip, deflate
Cookie: __vc_lng=en
[...]


Here the login and password :

POST /packagedetails.php?n=FIND_YOUR_USERNAME_HERE&p=FIND_YOUR_PASSWORD_HERE HTTP/1.1
Host: vopium.com
User-Agent: Vopium3G/3.3 CFNetwork/548.0.4 Darwin/11.0.0
Content-Length: 0
Accept: */*
Accept-Language: en-us
Accept-Encoding: gzip, deflate
[...]

And another one :
GET /j/checkbalance.htm?username=FIND_YOUR_USERNAME_HERE&password=FIND_YOUR_PASSWORD_HERE&amountonly=y HTTP/1.1
Host: vopium.com
User-Agent: Vopium3G/3.3 CFNetwork/548.0.4 Darwin/11.0.0
Accept: */*
Accept-Language: en-us
Accept-Encoding: gzip, deflate
[...]

And all your contacts :

POST /oauthserver/synchservice HTTP/1.1
[...]
username=FIND_YOUR_USERNAME_HERE&password=FIND_YOUR_PASSWORD_HERE&type=set&usercontacts=FIND_ALL_YOUR_CONTACTS_DATA

Comments

RSS Feed Subscribe to this comment feed

No comments yet, be the first!

Login or Register to post a comment

Want To Donate?


Bitcoin: 18PFeCVLwpmaBuQqd5xAYZ8bZdvbyEWMmU

File Archive:

July 2018

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Jul 1st
    1 Files
  • 2
    Jul 2nd
    26 Files
  • 3
    Jul 3rd
    15 Files
  • 4
    Jul 4th
    11 Files
  • 5
    Jul 5th
    13 Files
  • 6
    Jul 6th
    4 Files
  • 7
    Jul 7th
    4 Files
  • 8
    Jul 8th
    1 Files
  • 9
    Jul 9th
    16 Files
  • 10
    Jul 10th
    15 Files
  • 11
    Jul 11th
    32 Files
  • 12
    Jul 12th
    22 Files
  • 13
    Jul 13th
    15 Files
  • 14
    Jul 14th
    1 Files
  • 15
    Jul 15th
    1 Files
  • 16
    Jul 16th
    21 Files
  • 17
    Jul 17th
    4 Files
  • 18
    Jul 18th
    0 Files
  • 19
    Jul 19th
    0 Files
  • 20
    Jul 20th
    0 Files
  • 21
    Jul 21st
    0 Files
  • 22
    Jul 22nd
    0 Files
  • 23
    Jul 23rd
    0 Files
  • 24
    Jul 24th
    0 Files
  • 25
    Jul 25th
    0 Files
  • 26
    Jul 26th
    0 Files
  • 27
    Jul 27th
    0 Files
  • 28
    Jul 28th
    0 Files
  • 29
    Jul 29th
    0 Files
  • 30
    Jul 30th
    0 Files
  • 31
    Jul 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2018 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close