Update: According to the Vopium blog, the app has been updated with a fix for this issue.  We'll crack it open in just a bit to ensure everything has indeed been addressed.

Users of the popular VoIP app Vopium (here's the older version with many more installs) may want to put all usage of the app on indefinite hiatus, at least for the time being. It was recently discovered that the app sends basically all of the sensitive information, including username, password, device IMEI, geolocation, and contact list in plaintext.

After doing some of our own analysis, we discovered that the password is stored in the app's settings using plaintext as well (as opposed to at least basic encryption or an auth token - thanks for doing the leg work here, jcase).

Basically, anyone on the same network can simply pull all of the aforementioned information out of the air with a ease using a common packet sniffer. Since the info is sent in plaintext, there's no decoding necessary - it's all ripe for the picking.

So, how should Vopium be handling these requests? By using a secure, encrypted connection, like https. Then, if an "attacker" tried to pull any of the information out of the sky, it's nothing more than a useless jumble.

Not to underplay the severity of the situation, but if you're just sitting at home using it over your protected wireless internet, then you probably have nothing to worry about and it's merely a matter of principle. However, if you use Vopium on an open network or one shared with several people (like at college, for example), then your information is definitely out in the open for any wrong-doer to steal.

Hopefully, Vopium will issue an update as soon as possible that corrects this mistake, but I would have trouble trusting a company whose engineers put out software with such basic flaws again.

Packetstormsecurity via Seclists, thanks inforensique