Unprotected VOIP Server Exposed Millions of SMS Messages, Call Logs

A California-based Voice-Over-IP (VoIP) services provider VOIPO has accidentally left tens of gigabytes of its customer data, containing millions of call logs, SMS/MMS messages, and plaintext internal system credentials, publicly accessible to anyone without authentication.

VOIPo is one of a leading providers of Voice-Over-IP (VoIP) services in the United States offering reseller VoIP, Cloud VoIP, and VoIP services to residentials and small businesses.

Justin Paine, the head of Trust & Safety at CloudFlare, discovered an open ElasticSearch database last week using the Shodan search engine and notified the VOIPO’s CTO, who then promptly secured the database that contains at least 4 years of data on its customers.

According to Paine, the database contained 6.7 million call logs dating back to July 2017, 6 million SMS/MMS logs dating back to December 2015, and 1 million logs containing API key for internal systems.

While the call logs included timestamp and duration of VOIPO customers’ VOIP calls and partial originating and destination phone numbers of those calls, the SMS and MMS logs even included the full content of messages.

“Based on the user agent of some of the calls observed,…, it seemed likely that this VOIP provider was targeted (as many of them) by scanners attempting to make fraudulent 9xx premium calls,” Paine wrote in a blog post published Tuesday.

Besides this, the unprotected database also stored 1 million logs containing references to internal hostnames, some of which also included plaintext usernames and passwords for those systems. These sensitive values were exposed since June 3, 2018.

“It is difficult to overstate the severity of this part of the leak. Unless VOIPO had deployed adequate firewall protections (which this researcher did not test) to limit access to internal systems to a specific whitelist of IPs and/or a corporate VPN then leaked internal hostnames in combination with the leaked usernames and passwords could have resulted in a near total compromise of all leaked production systems,” Paine said.

When Paine reached out to VOIPO, the company said this was “a development server that had accidentally been left publicly accessible.”

However, they also confirmed that the database also contained “valid data,” which means real production data, without specifying which data was allegedly development data and which was production data.

Paine speculated that the leaked plaintext credentials were likely production credentials and that the SMS/MMS and VOIP call logs appeared to be production data.

The researcher notified VOIPO about the insecured ElasticSearch database on January 8, 2019, and the company confirmed on the same day that it took down the database offline.

This is second time in this month when a huge database containing millions of users record has been found open to the world.

Just last week, we reported about a massive MongoDB database of 854.8 gigabytes of data containing records of over 202 million Chinese job seekers that found accessible to anyone on the Internet without authentication.