Dalil, a popular Saudi Arabian mobile communications application with more than five million downloads, was found to have exposed user data through an internet-accessible MongoDB database. According to researchers at VpnMentor, the breach occurred because Dalil collected user data in an unsecured and unmonitored MongoDB instance. As a result, all user information was accessible without authentication.
By default, Dalil collects the following information from users during the initial setup:
- Mobile phone number
- Device model, token, serial number, and operating system
- IP address
- Device IMEI
- SIM card and network provider information
- GPS and network location data
Users are also given the option to provide additional personal information, including email address, first and last name, gender, and profession. All of this data was publicly accessible due to being stored in an unsecured database.
This breach raises significant security and privacy concerns for Dalil users. Two primary risks include targeted advertising abuse and malware delivery. The exposed information could be sold to advertisers, governments, or even terrorist organizations, enabling highly targeted campaigns.
Another concern is the potential for malware deployment on user devices, as sensitive device-level information was also leaked. Additionally, VpnMentor researchers identified unusual application permissions—such as call rerouting—which raised concerns about potential surveillance activities.
The key takeaway from this incident is the importance of exercising caution when granting application permissions, regardless of an app’s popularity. Users should remain mindful of the personal information they share with applications and organizations in exchange for services.