Ride-Hailing Company operating in Iran exposes data of Iranian Drivers

Pierluigi Paganini April 21, 2019

Security researcher discovered a database belonging to a ride-hailing company operating in Iran that was left exposed online containing over 6.7M records.

Security researcher Bob Diachenko discovered a database belonging to a ride-hailing company operating in Iran that was left exposed online without protection.

The MongoDB instance named ‘doroshke-invoice-production‘ contained over 6.7 million records of Iranian drivers.

Exposed records include driver first name and last name, SSN (10-digits Iranian ID number in plain text), phone number, and invoice date.

The expert discovered the database using the BinaryEdge search engine that indexes data available on the internet.

Security researcher Bob Diachenko discovered the database named ‘doroshke-invoice-production’ using BinaryEdge search engine that allows
to scan the entire internet space and acquiring data.

“On April 18th, during our regular security audit of nonSql databases with BinaryEdge search engine, I have discovered an open and publicly available MongoDB instance which contained astonishingly sensitive information on Iranian drivers.” reads a blog post published by the expert.

The database included two collections with invoices split by year:

  • invoice95 (all the invoices from year 1395, which corresponds to 2017 in Gregorian calendar), with total number of records: 740,952
  • invoice96 (all the invoices from year 1396, which corresponds to 2018 in Gregorian calendar), with total number of records: 6,031,317
Iranian Ride-Hailing App data leak

The MongoDB contained a large number of duplicates, the researcher estimates that the unique number of entries is between one and two million.

At the time of writing the owner of the archive is still unknown, fortunately, it has secured the instance.

Diachenko reported its discovery to the Iranian CERT and also attempt to alert researchers in Iran to discover the owner.

“We were able to get in touch with a couple of drivers with an attempt to identify the owner of the database. At the same time, my colleagues have reached out to the biggest ride-hailing companies in Iran to confirm data origin. ” concludes Diachenko.

“While I did not receive an official confirmation or comment from either company, we can only guess if this data was part of their infrastructure. However, no matter who owned it, the fact alone that such highly sensitive PII (personally identifiable information) was available in the wild for at least 3 days, is scary.”

[adrotate banner=”9″] [adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – data leak,ride-hailing company)

[adrotate banner=”5″]

[adrotate banner=”13″]

you might also like

leave a comment