The Turkish app Quran Kuran has exposed over 3.6 million records of highly sensitive data that could have been used for unauthorized surveillance.
On August 15th, the Cybernews research team discovered an unprotected Elasticsearch server exposing more than 3.6 million extremely sensitive data records to anyone on the internet.
The data has been attributed to users of the Quran Kuran app developed by Sigma Telecom, an Istanbul-based telecommunications company.
The app, downloaded over 1 million times from the Google Play Store, helps users study, read, and learn the Quran, the Muslim holy book, while supporting prayer practices.
What data was leaked?
- Geodata
- Device and network identifiers
- MAC addresses – a 12-digit hexadecimal number assigned to each device connected to the network
- IP addresses
- SIM serial numbers
- Carrier information
- Application details
Why does the Quran Kuran leak matter?
The exposed data contained detailed personal and technical information, making it highly sensitive and possible to exploit in multiple scenarios. Malicious actors could utilize leaked information for identity theft and other forms of cyber fraud.
Moreover, leaking sensitive details may threaten users’ privacy. Leaving geodata, SIM serial numbers, and network identifiers public makes the religious community extremely vulnerable to surveillance and unauthorized tracking.
“Since WIFI SSIDs are present, threat actors can find users' places of residence.
Meanwhile, SIM serial numbers can be abused to track the locations of the app's users. For example during protests, where it is common to intercept cellular traffic,” said Cybernews researchers.
This is especially concerning given that it is not the first time the Muslim community has been put at risk due to data collected by prayer apps.
In 2020, news reports revealed that the US federal government purchased cellphone location data collected from popular prayer apps used by millions of Muslims worldwide.
“Harvesting of data on Muslim app users worldwide is a serious threat to privacy and religious freedom,” said the American Civil Liberties Union (ACLU) at the time.
“CCPA and GDPR consider information such as a person's religious beliefs to be highly sensitive personal information. It is in the same sensitivity category as health data, financial data, criminal history, and passports, as opposing groups have historically used such information for discrimination and violence,” added Cybernews researchers.
Cybernews contacted Quran Kuran developers, and access to user data was secured. An official comment has yet to be received.
Disclosure timeline
Discovered: August 15th
Initial disclosure: September 6th
Follow-up emails: September 13th, 20th, 27th, October 4th, October 10th
Disclosure to CERT: October 17th
Closed: November 5th
Your email address will not be published. Required fields are markedmarked