Let me spell out why you should care that I recently so easily found 13 security vulnerabilities.
|Published:||Mon, November 20, 2017, 06:55|
I'm summarizing the 13 security issues I've presented on the blog over the last three months.
In the table below I've tried to show how different types of criminals can directly use the information from the different cases. Of course, combining sources would make you even more vulnerable, so I'll get more into that further down in this post.
|Directly applicable for|
|Case||Jealous partner||Stalker||Kidnapper||White-collar criminal||Political hacker||Foreign intelligence|
|#1 - Tryg + Infotorg||-||✔||-||✔||-||✔|
|#2 - Acme||-||-||-||-||-||-|
|#3 - Digipost||-||✔||-||-||✔||✔|
|#4 - Acme2||-||-||-||✔||-||-|
|#5 - Sbanken||✔||-||-||-||-||-|
|#6 - Orkla + Japan Photo||-||-||-||-||-||-|
|#7 - Energi Treningssenter||✔||✔||-||-||-||-|
|#8 - Acme3||-||-||-||✔||-||-|
|#9 - IKEA||-||-||-||-||-||-|
|#10 - Memoria||-||-||-||-||-||-|
|#11 - Gator Watch||-||-||✔||-||-||-|
|#12 - Gjensidige||-||✔||-||-||-||-|
|#13 - GoShopping||-||✔||-||-||-||-|
With jealous partner I'm considering persons who have some kind of abusive power and control or jealousy. They could make use of usage data like the time the partner entered the door at the gym or what he or she bought at the store at what time.
A stalker is a person with unwanted or obsessive attention towards another person. Using information leaks a stalker would be able to get more personal information (i.e. address, phone number, e-mail address) about the victim. And getting something like the victim's IP address would open for attacks on computer equipment which again can lead to more leaks of personal data (think your mobile phone with all your images, your e-mail, etc.).
Kidnappers would be able to use location data and other usage information to understand patterns and when it's a fitting time to commit the crime.
In while-collar crime I include identity theft and other types of finacially motivated crimes. Useful information could be Social Security Numbers (SSN), names, addresses, phone numbers, etc.
With political hacker I mean individuals or groups that have some kind of political motivation to get access to data about politicians. A list of people's names and IP addresses would be great news for trying to break into a politician's computer network.
I suppose some foreign intelligence organizations wouldn't mind getting an up to date high quality list of names, Social Security Numbers and addresses for most of the grown population in a nation. And for more targeted operations full names and IP addresses sure helps.
More often than not the security issues I have found have included some sort of personal information leak. In the table below I'm summarizing the severity and the leaks.
|Case||Severity||Data leaked||Enumeration vulvnerability||Privacy threat|
|#1 - Tryg + Infotorg||Low to medium||SSN, names, addresses, birthdays, etc.||✔||✔|
|#2 - Acme||Very low||-||✔||-|
|#3 - Digipost||Medium||Names and IP addresses||✔||✔|
|#4 - Acme2||Critical||-||✔||✔|
|#5 - Sbanken||High||Bank account balances||-||✔|
|#6 - Orkla + Japan Photo||Low||Pictures and first names||✔||✔|
|#7 - Energi Treningssenter||High||Names, visit logs, e-mail addresses, phone numbers, bank account numbers, pictures||✔||✔|
|#8 - Acme3||Critical||A lot of different company data||✔||✔|
|#9 - IKEA||Low to medium||Names and locations||-||✔|
|#10 - Memoria||High||Private messages||✔||✔|
|#11 - Gator Watch||Critical||Kids' location, voice messages, phone numbers||✔||✔|
|#12 - Gjensidige||Medium||Names, addresses, insurance details||✔||✔|
|#13 - GoShopping||Low to medium||Names, addresses, order details||-||✔|
A lot of different personal data has been leaked. And looking at the cases you'll see that you can use data from one source to look up data in another.
The checkmark for enumeration vulvnerability indicates if it was possible to access all the data systematically or not. Only a few of them needed knowledge like a bank account number or e-mail address, so this is bad news for you as an end user.
While not all cases are directly applicable for criminals, almost every single one of them poses a threat to your privacy. This threat goes from you not surfing anonymously on the Internet to your home network being vulnerable for further attacks to your kids being tracked to your online shopping being exposed etc.
While the vulnerabilities alone are bad, combining them may make them more severe. So which of the 13 could have been used together?
In the table below I've marked the the cases in which there are some overlapping data that will make it possible to get retrieve more data or increase the attack surface.
|#1 - Tryg + Infotorg||-||-||-||-||-||-||-||-||-||-||-||-||-|
|#2 - Acme||-||-||-||-||-||-||-||-||-||-||-||-|
|#3 - Digipost||✔||-||-||-||-||-||-||-||-||-||-||-|
|#4 - Acme2||-||-||-||-||-||-||-||-||-||-|
|#5 - Sbanken||-||-||-||-||-||-||-||-||-|
|#6 - Orkla + Japan Photo||-||-||-||-||-||-||-||-|
|#7 - Energi Treningssenter||✔||✔||✔||-||-||-||-||-||-||-|
|#8 - Acme3||✔||✔||✔||✔||-||-||-||-||-||-|
|#9 - IKEA||✔||✔||✔||✔||-||-||-||-||-|
|#10 - Memoria||-||-||-||-|
|#11 - Gator Watch||✔||-||-||-|
|#12 - Gjensidige||✔||✔||✔||✔||✔||-||-|
|#13 - GoShopping||✔||✔||✔||✔||✔||✔||-|
I wanted to write this post to try to make it clear on why you should care about these issues. When I can find all this data with very little time and effort then this sure must be the tip of a very small iceberg in an ocean with a lot of very big icebergs.