Vopium for Android and iPhone leaks various data such as your password by passing it in the clear.
006feebf3184c898d414ea373175d64843914bb7e535369ca74b8aa5cfe9312b
Hi,
I discovered that Vopium (http://vopium.com/), a popular VoIP app for Android and iPhone, is simply leaking in *clear text* :
- your login
- your IMEI (unique ID of your phone)
- your password (not even hashed !)
- your geolocation
- and all your contacts !
Just use wireshark on your network and put http as filter.
See capture extract below :
FIND_YOUR_USERNAME_HERE -> it will be your phone number
Here the longitude, latitude, login and IMEI:
GET /ge/index.php?ll=60.2345,9.1232&username=FIND_YOUR_USERNAME_HERE&imei=FIND_IMEI_HERE HTTP/1.1
Host: vopium.com
User-Agent: Vopium3G/3.3 CFNetwork/548.0.4 Darwin/11.0.0
Accept: */*
Accept-Language: en-us
Accept-Encoding: gzip, deflate
Cookie: __vc_lng=en
[...]
Here the login and password :
POST /packagedetails.php?n=FIND_YOUR_USERNAME_HERE&p=FIND_YOUR_PASSWORD_HERE HTTP/1.1
Host: vopium.com
User-Agent: Vopium3G/3.3 CFNetwork/548.0.4 Darwin/11.0.0
Content-Length: 0
Accept: */*
Accept-Language: en-us
Accept-Encoding: gzip, deflate
[...]
And another one :
GET /j/checkbalance.htm?username=FIND_YOUR_USERNAME_HERE&password=FIND_YOUR_PASSWORD_HERE&amountonly=y HTTP/1.1
Host: vopium.com
User-Agent: Vopium3G/3.3 CFNetwork/548.0.4 Darwin/11.0.0
Accept: */*
Accept-Language: en-us
Accept-Encoding: gzip, deflate
[...]
And all your contacts :
POST /oauthserver/synchservice HTTP/1.1
[...]
username=FIND_YOUR_USERNAME_HERE&password=FIND_YOUR_PASSWORD_HERE&type=set&usercontacts=FIND_ALL_YOUR_CONTACTS_DATA