Kontacto’s lack of security exposed data from 55.000 people

29 October 2019

Now that the server of Kontacto is no longer online, we would like to illustrate how the data was publicly available to the world exposing personal data of more than 55.000 people.

Kontacto was composed by two main components, a client Android mobile application and a server side that sends and receives data from the client.

The protocol used to exchange data is known as SOAP (Simple Object Access Protocol), one of the oldest protocols for this kind of transactions which currently is replaced by REST.

Although SOAP supports security in its extension WS-Security, Kontacto did NOT use any of its features. Kontacto did NOT even use HTTPS for encryption. Although the domain http://kontactows.co was initially used, the Kontacto client that was put in production was connecting to http://3{.}221.46.163/

How did we found the Kontacto server?

The existence of an application known as Kontacto was not a real secret as hundreds of contractors of the municipality had shared and installed the App.

A simple search for “Kontacto” in Censys, a service created by the University of Michigan in 2015, returned the address 3{.}221.46.163

A server open to the general public

The server of the application did not have any protection, such as firewall or password protection. It also did not have an author.

In the URL http://3{.}221.46.163/WSKONTACTO_WEB it was publicly available in the following pages:

Default requests leaked personal data

Any default request to the webserver to the different links performed by a standard web browser returned data of this form.

Default requests returned responses as follows:

OK|50 4B 03 04 ....

Encrypted?, not really!

A quick search for the string “50 4B 03 04” indicated that the response was a “ZIP” compressed file.

Kontacto open server exposed compressed personal data

Writing the response to a file (using xxd) showed immediately a ZIP compressed file with the name EQUIPO_.

Conclusion

Kontacto did not contain any measures to protect the personal data of more than 55.000 people including their ID card, addresses, mails and telephone numbers.

Cookie	Duration	Description
cookielawinfo-checbox-analytics	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Analytics".
cookielawinfo-checbox-functional	11 months	The cookie is set by GDPR cookie consent to record the user consent for the cookies in the category "Functional".
cookielawinfo-checbox-others	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Other.
cookielawinfo-checkbox-necessary	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookies is used to store the user consent for the cookies in the category "Necessary".
cookielawinfo-checkbox-performance	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Performance".
viewed_cookie_policy	11 months	The cookie is set by the GDPR Cookie Consent plugin and is used to store whether or not user has consented to the use of cookies. It does not store any personal data.