A cybersecurity breach has exposed over 3.6 million records of highly sensitive information belonging to users of the Quran Kuran app, a digital tool designed to help Muslims engage with their faith. The unprotected Elasticsearch server was uncovered on August 15 by the Cybernews research team, leaving millions of users at risk of privacy violations and unauthorized tracking.
Details of the Leak
The app, developed by Istanbul-based Sigma Telecom and downloaded over a million times from the Google Play Store, is used for reading, studying, and learning the Quran while facilitating prayer practices. Unfortunately, the server’s vulnerability exposed a trove of data, including:
- Geographic location data
- Device and network identifiers
- MAC addresses – unique codes assigned to devices on a network
- IP addresses
- SIM card serial numbers
- Mobile carrier details
- Application usage information
Why This Breach is a Serious Concern
The leaked data poses a significant threat to the privacy and security of Quran Kuran users. Cybercriminals could exploit the information for identity theft, unauthorized surveillance, or other fraudulent activities.
Geodata and SIM card details could enable malicious actors to pinpoint users’ locations or track their movements. For example, Wi-Fi SSIDs revealed in the leak could be used to identify users’ homes. This vulnerability is especially dangerous in scenarios such as public demonstrations, where intercepted cellular traffic could place users at risk.
“Threat actors could use this information to monitor users’ locations or movements, particularly during sensitive activities like protests,” Cybernews researchers warned.
A Recurring Issue for Muslim Communities
This incident is not the first time prayer apps have compromised the privacy of Muslim users. In 2020, investigative reports revealed that the U.S. government had acquired location data from popular Islamic apps, sparking outrage among privacy advocates.
READ MORE: Cafe Worker Claims Unfair Dismissal Due to Religion and Heritage
The American Civil Liberties Union (ACLU) described such data harvesting as a severe threat to privacy and religious freedom. “Information about a person’s religious beliefs is as sensitive as health, financial, or criminal records and can be exploited for discrimination or violence,” the ACLU said.
Developer Response and Timeline
After Cybernews reached out to Quran Kuran developers, access to the exposed data was eventually secured. However, no official comment has been provided by Sigma Telecom.
The timeline of the disclosure process is as follows:
- Discovery: August 15
- Initial disclosure to developers: September 6
- Follow-up communications: September 13, 20, 27; October 4, 10
- Notification to CERT (Computer Emergency Response Team): October 17
- Closure: November 5
The Quran Kuran breach underscores the pressing need for developers of religious and sensitive apps to prioritize robust cybersecurity measures, ensuring users’ privacy and data integrity are safeguarded at all times.