VpnMentor: Dalil, the biggest communication app in Saudi Arabia, has a security breach and complete set of data of more than 5 million users are open and accessible to the entire Internet

Dalil, the biggest communication app in Saudi Arabia (KSA), has a security breach, and complete set of data of more than 5 million users are open and accessible to the entire Internet. It has been discovered by VpnMentor cyber security experts. The phone directory works like Truecaller, helping users identify unknown numbers and 96% of its users are in Saudi Arabia; the remainder are in Egypt and other Arab countries. According to the researchers, all the user data gathered by Dalil are stored in an unsecured and unmonitored MongoDB database. It’s reachable without authentication, giving hackers password-free access to millions of people’s data. As well as the application log, this database includes both harvested and voluntarily-submitted personal information.  

Which are the data harvested, voluntary or not, by the app

According to VpnMentor, when users create their profiles on Dalil, in fact, they are prompted to add additional information, including their Personal email account, First and last name, Gender, and Profession. Furthermore, the app collects user cell phone numbers; IP address (internal and external where applicable); device model, token, serial number, and operating system; IMEI (the device’s specific identification number); Sim card and network provider information; GPS and network location information. The cyber security experts, to demonstrate the breach, created a profile for one user from hacked data. This thanks to the fact that the app collects large amounts of information. They found user’s phone number, IMEI, network data, and a lot of personal information. Furthermore, translating the Unicode from the database into Arabic lettering, they saw the area in which he lives.

What the cyber security experts discovered

According to VpnMentor’s blog, “We discovered this breach as a result of a web mapping project. Our hacker uses port scanning to examine particular IP blocks and test open holes in systems for weaknesses. They examine each hole for data being leaked. In this case, they installed the app and entered their own data. This allowed them to confirm both that their data was leaked, and the identity of the database. We contacted Dalil to alert them to this security breach and gave them a few days to find and secure their database before this knowledge became public. At the time of publication, we had not yet heard back from them. After we reported the issue (and before we published this report),” the cyber security experts add, “we also noticed that while some data on the server was being encrypted, but new data was unencrypted when logged. This shows that at least one malicious actor was accessing user data. We urge Dalil in the strongest possible terms to act quickly and protect their users”.

The risks of the Dalil’s breach for the users

The Dalil’s breach expose users to huge security and economic risks. Not only in the cyber domain. If the contents of the database would be sold to third-party advertisers (or governments and terror organizations in the dark web), knowledge of users’ genders, professions, and locations could allow them to create targeted ads (or hostile acts). Furthermore, knowing the precise make and model of users’ phones, as well as their operating systems, allows for highly specific malware placement. This could create huge personal and financial loss for millions of users across Saudi Arabia, Egypt, and other countries where the app is popular. Finally, The app also has permission to “find accounts on the device” and to access to the device’s stored media files and received text messages. So, it’s possible that also these files could be hacked.