South Korean Android delivery apps found to be leaking passwords and financial data

This will be a fairly brief brain dump.

TL;DR – I would not recommend installing or using either of the following Android applications:

Zcall Delivery Agent – https://play.google.com/store/apps/details?id=kr.co.zcall.app.delivery

Zcall Delivery Account Manager – https://play.google.com/store/apps/details?id=kr.co.zcall.app.staff

An ElasticSearch database (with Kibana front-end) was discovered. This server did not have any type of authentication.

Numerous notifications have been sent to the email address indicated in the Google Store, but no reply has been received. These Android apps were recently updated (January 24, 2019) so they are not abandoned.

Zcall appears to be a delivery service based in South Korea. This does not appear to be a user-facing service. Zcall is a service used by the individual or organization delivering a package.

The website related to these apps is https://www.zcall.co.kr/  

The website indicates that the privacy policy is located here: https://www.zcall.co.kr/customer/%EA%B0%9C%EC%9D%B8%EC%A0%95%EB%B3%B4%EC%B7%A8%EA%B8%89%EB%B0%A9%EC%B9%A8.html

10. Wrote personal information protection officer
① The Company is responsible for the handling of personal information, and has designated the person responsible for the protection of personal information as follows for the complaint handling and damage relief of information subject related to personal information processing.
▶ Person in Charge of Personal Information
Name: Kim Young Kyung
Title: Team Leader
Position: Manager
Contact: 05022223838, [email protected]

The information protection officer's email address sadly does not exist – the email bounced.

Each day these apps are leaking at least 3.4M+ events.

index            	docs.count
zcall-2019.01.19	4,443,056
zcall-2019.01.20	4,346,064
zcall-2019.01.21	3,474,464
zcall-2019.01.22	3,691,154
zcall-2019.01.23	3,526,036
zcall-2019.01.24	3,744,973
zcall-2019.01.25	522,205

What was leaked:

Earliest data: January 13th 2019

Last 30 days: 26,670,885 documents

Minor things:

  1. pick up date/time, and address for a delivery
  2. delivery date/time, and address for a delivery
  3. phone numbers for companies where a package is being picked up and where it is being delivered.
		"companyNo": 120,
		"companyName": "서울마포지사",
		"shopNo": 3564,
		"shopName": "XXXXXXXXX",
		"saleNo": "XXXXXXXXX",
		"partnerCode": "ZCALL",
		"requestDt": "2019-01-21 01:16:14",
		"pickupName": "XXXXXXXXX",
		"pickupTelNo": "XXXXXXXXX",
		"pickupAddress": "XXXXXXXXX",
		"pickupAddressBunji": "506-17",
		"pickupAddressDetail": "XXXXXXXXX",
		"pickupAddressStreet": "XXXXXXXXX",
		"pickupAddressBuilding": "15",
		"pickupLng": XXXXXXXXX,
		"pickupLat": XXXXXXXXX,
		"pickupX": XXXXXXXXX,
		"pickupY": XXXXXXXXX,
		"pickupRequestDt": "2019-01-21 01:36:06",
		"pickupDelayPreDt": "2019-01-21 01:36:06",
		"pickupDelayDt": "2019-01-21 01:36:06",
		"pickupCompleteDt": "2019-01-21 01:30:49",
		"deliveryName": "",
		"deliveryTelNo": "XXXXXXXXX",
		"deliveryAddress": "XXXXXXXXX",
		"deliveryAddressBunji": "377-1",
		"deliveryAddressDetail": "XXXXXXXXX",
		"deliveryAddressStreet": "XXXXXXXXX",
		"deliveryAddressBuilding": "67",
		"deliveryLng": XXXXXXXXX,
		"deliveryLat": XXXXXXXXX,
		"deliveryX": XXXXXXXXX,
		"deliveryY": XXXXXXXXX,
		"deliveryRequestDt": "2019-01-21 01:16:15",
		"distance": 1165,
		"amount": 23000.0,
		"deliveryFee": 3300.0,
		"paymentCashTypeCode": "M",
		"staffNo": 2700,
		"staffName": "XXXXXXXXX",
		"staffCellNo": "XXXXXXXXX",

Major things:

  1. Plaintext passwords for shop logins.
  2. Plaintext passwords for staff logins.
  3. What appears to be plaintext bank information.

Shop logins with passwords:

Staff logins with passwords:

Example bank information:

		"bossName": "XXXXXXXXX",
		"businessName": null,
		"telNo": "XXXXXXXXX",
		"cellNo": "XXXXXXXXX",
		"registrationNo": "",
		"address": "",
		"addressBunji": "",
		"addressDetail": "",
		"addressStreet": null,
		"addressBuilding": null,
		"bankCode": "XXXXXXXXX",
		"bankAccountNo": "XXXXXXXXX",
		"bankAccountOwner": "XXXXXXXXX",
		"vanCode": null,
		"vanStoreCode": null,
		"lng": XXXXXXXXX,
		"lat": XXXXXXXXX,
		"x": XXXXXXXXX,
		"y": XXXXXXXXX,
		"createdDt": "2018-12-04 16:51:04",
		"modifiedDt": "2019-01-21 01:09:00",
		"no": 4662,
		"statusCode": "Y",
		"id": "41643953",
		"name": "XXXXXXXXX",

My hope is the Android app developer will address this issue soon.

Show Comments