50,553,664 GOMO app users’ information exposed – researcher (UPDATED)

By Lee Johnstone and Dissent Doe

Sungy Mobile Limited (“GOMO”)  claims to be the world’s leading mobile application developer and mobile advertising platform, with more than 2 billion downloads.  Their GO Series apps include GOMO Reading, GO Launcher, GO SMS, GO Keyboard Pro, Z Camera, S Photo Editor, GO Music, GO Speed, Brightest Flashlight, and Z Launcher.

GOMO’s apps are very popular with children, and when GOMO leaked more than 50 million consumers’ information due to a misconfigured backup, a lot of those 50 million consumers were children.

But do their parents know? It’s not clear.

Leak Discovered in May

On May 25, an independent researcher who calls himself “Flash Gordon” discovered what appeared to be GOMO backup data exposed on Port 80 with no login required.

Although the data appeared to be from GOMO, we could find no way to alert them to their security issue via email or social media. There was no email address on their site, and a Google search returned no usable email address for their security or privacy personnel. Attempts to reach GOMO via their Twitter account were also unsuccessful.

On May 27, Flash discovered that there was also a second IP address that was exposing all of the backup data without any login required.

Both Flash Gordon and DataBreaches.net attempted to notify GOMO via their web host and even via the Privacy Commissioner for Personal Data, Hong Kong. The latter raised jurisdictional and statutory issues in trying to explain why they wouldn’t just reach out and notify the company when the data were being hosted in Hong Kong.

On May 30, five days after discovery, it appeared that the files might have been secured after Flash contacted NTT Com Asia Ltd on Facebook and informed them that one of their HKNet customers was leaking data and couldn’t be reached via email. On June 2, however, a re-check determined that both servers were leaking again.  NTT Com Asia was contacted again, and again, they assisted in the notification process.  This time, the servers remained unavailable on re-check.

Findings: Corporate Data

Deep analysis of the GOMO data revealed that not only were GOMO’s application users affected (see below), but a lot of its development, internal, and system details and workings were also exposed. Data from every application as well as deployment, product, administration, statistics, payment gateways and much more was left unprotected in plaintext.

The databases also contained a lot of data that did not appear to be directly linked to their own applications, but might be related to other products of theirs involving providing digital marketing and game distribution services for merchants, brands, and other companies – material that might be especially attractive to threat actors who search for or stumble over it.

Checking the Google App Store for applications under GOMO returns various versions of applications, with names like “GOMO apps,” and “GOMO dev, GOMO” but the official playstore appears to be named “GOMO Limited.”

Findings: User Data

Data provided by Flash Gordon to Johnstone appeared to contain the complete backend system for many of GOMO’s products/applications. The backup was well over 28GB in compressed format and normal files. When decompressed, there was close to 100GB of data, in total.

Some of the data exposed by the leak indicated that the most frequent user languages represented in the files were English, Spanish, Indian, and French. There were 273 languages and 301 countries represented in the data.

All told, there were:

50,553,664 unique accounts
47,415,210 unique devices
4,379 distinct mobile numbers in account
51,426,769 distinct email addresses in accounts,
48,255,172 profiles, and
4 system users.

A redacted record, below, reveals that exposed data included email addresses, bcrypt passwords, and country of user: 

(420865,NULL,'[redacted]@gmail.com’,NULL,’1446416667477d5fb1ba798a67985′,’d5fb1ba798a67985′,’$2a$10$6EQadztZcwGKBRhewGj4SOlJRvsI39C4bm0vySv1UKldUvF.AIxM.’,’fr’,’FR’,0,0,’XRlgLbzb5OoA7ixiWvX2MMSX6′,2,1,’2015-11-02 06:25:10′,’2015-11-01 22:25:10′)

Some entries contained data on U.S. persons that included their email address, username, school, gender, date of birth, and their International Mobile Subscriber Identity (imsi) number, as these examples demonstrate:

6370_appendonly.aof:{“[redacted]”:”c15168219″,”email  [redacted]@gmail.com”, “emailStatus”:true,”username”:”[redacted]”,”address”:”Euclid, Ohio”,”college”:”Euclid High School”,”sex”:”1″,”birthday”:”[redacted]”,  “language”: “US”,”version”: “1359928652823”, “imsi”: “[redacted]”}

6370_appendonly.aof:{“[redacted]”:”c8203604″,”email”:”[redacted]@gmail.com”, “encryptedPhone”:”KzE4MDg3MjEzOTMx”,”phoneStatusEnum”:{“value”:0,”name”:”suc”}, “emailStatus”:true,”username”:”[redacted]”, “college”: “Iolani School”,”sex”:”1″,”birthday”:” [redacted]”,”language”: “US”, “version”: “1358036318623”,”imsi”:”[redacted]”}

The databases also exposed links to avatars, comments, notes and other application-based information such as users’ coins or game credits, in-store purchuses, and more.

One file contained 49,243,538 accounts with email addresses, mobile phone numbers, passwords, language preference, country, and other account related information.   A second table in the account database contained just as many rows of account device information with users’ ID numbers being matchable to the International Mobile Equipment Identity (imei) number, imsi number, phone model information, language, country, and type of connection.

In total, there were more than 70 databases exposed, involving applications listed on GOMO’s website  including Z Camera, Z Launcher, GO SMS, GO Music, GO Launcher, Bright Flashlight, and  S Photo Editor. Other affected applications include GO Horoscope, GO Fitness, GO Currency, GO Video, as well as internal purchases, games, promotions, messages and contacts. And as noted earlier, also exposed was the complete GOMO deployment and development system with all end points, credentials and project information.

GOMO also provides services for clients like private VPN’s, and the exposed database contained 477,521 account IDs of customers who subscribe to this service.

Yet other files appeared to be activity logs that were updated as users used apps. The roster logs revealed that the backup was current and was continually being updated.

Who Knows? Who Should Know?

Since the data were secured, we have occasionally checked GOMO’s site to see if there was any disclosure or statement about the unsecured backup exposing data.  We can find none. And there is still no email contact form or address to get in touch with the company to alert them to problems or to ask questions.

So have parents of children whose data were exposed been notified that their children’s name, date of birth, email address, and device and account information was exposed and available for access or download by threat actors?  Has GOMO analyzed their logs to determine how many IP addresses outside of their network may have accessed or exfiltrated their data?

And does Chinese law require disclosure or notification – either to consumers, parents, or the government itself for this type of leak? We are not sure.

Update of August 17:  Yesterday, DataBreaches.net received an email from the security head for GOMO.  GOMO writes, in relevant part (typos as in the original):

This issue happened when we were fixing a issue on AWS and had to open Port80 however failed to close the port due to a tech bug. We reazlied the issue on 30th May and fixed this problem right after.

Their investigation noted two downloads at the end of May, which they believe to be “a kind reminder rather than a malicious attack.”

In response to the incident, GOMO took a number of actions:

1) we have added additional manpower as backup process to double check when it comes to database related actions.

2) Enhanced Encrption process has been applied to all the User related data including but not limited to email/UI etc.

GOMO thanked us for the reporting, “which provides a kind Alarm for us to improve. User data secrutity  has always been the central of our work and it will always stay the highest priority for the company.”

We are glad to have been of help, and hope that they will add something to their web site’s home page that lets people know how to contact them directly by email to report any privacy or data security concerns.  In our opinion, every entity should provide contact email for reporting concerns.