Hi,


I discovered that Vopium (http://vopium.com/), a popular VoIP app for Android and iPhone, is simply leaking in *clear text* :

- your login
- your IMEI (unique ID of your phone)
- your password (not even hashed !)
- your geolocation 
- and all your contacts !

Just use wireshark on your network and put http as filter.

See capture extract below :
FIND_YOUR_USERNAME_HERE -> it will be your phone number

Here the longitude, latitude, login and IMEI:

GET /ge/index.php?ll=60.2345,9.1232&username=FIND_YOUR_USERNAME_HERE&imei=FIND_IMEI_HERE HTTP/1.1
Host: vopium.com
User-Agent: Vopium3G/3.3 CFNetwork/548.0.4 Darwin/11.0.0
Accept: */*
Accept-Language: en-us
Accept-Encoding: gzip, deflate
Cookie: __vc_lng=en
[...]


Here the login and password :

POST /packagedetails.php?n=FIND_YOUR_USERNAME_HERE&p=FIND_YOUR_PASSWORD_HERE HTTP/1.1
Host: vopium.com
User-Agent: Vopium3G/3.3 CFNetwork/548.0.4 Darwin/11.0.0
Content-Length: 0
Accept: */*
Accept-Language: en-us
Accept-Encoding: gzip, deflate
[...]

And another one :
GET /j/checkbalance.htm?username=FIND_YOUR_USERNAME_HERE&password=FIND_YOUR_PASSWORD_HERE&amountonly=y HTTP/1.1
Host: vopium.com
User-Agent: Vopium3G/3.3 CFNetwork/548.0.4 Darwin/11.0.0
Accept: */*
Accept-Language: en-us
Accept-Encoding: gzip, deflate
[...]

And all your contacts : 

POST /oauthserver/synchservice HTTP/1.1
[...]
username=FIND_YOUR_USERNAME_HERE&password=FIND_YOUR_PASSWORD_HERE&type=set&usercontacts=FIND_ALL_YOUR_CONTACTS_DATA