Case #21: Leaving backup in the public

A web shop left their backup of all shopping data and their site in a publicly available directory - indexed by Google.

Published: Mon, March 11, 2019, 06:40
Security Monday
Information leak
OWASP 2017 A3
OWASP 2017 A6

tl;dr 🔗

An e-commerce site had misconfigured their site which led to their backup of their entire site + database with all shopping and personal data to be available on the Internet. And you could find it with a simple Google search.

Summary 🔗

Who: Anonymous, let's call them Acme5
Severity level: High
Reported: September 2018
Reception and handling: Very good
Status: Fixed
Reward: A thank you
Issue: Website backup and database backup accessible by a simple Google search

Background 🔗

Acme5 is a Norwegian physical specialist store that also have an online web store.

I briefly mentioned this case in the presentation I gave in October 2018 at the security conference Sikkerhetssymposiet, but I never got around to writing about it. I have been wanting to do one or more write-ups on Google dorking, that is, how to use Google to find security vulnerabilities. A good starting point for checking your own security is googling yourself. There are just endless and endless of vulnerabilities and secret stuff indexed by Google available for anyone using a simple Google search. While doing research for this kind of write-up I found the issue presented here.


I searched for something along the lines of intitle:"index of" intext:backup. "Index of" in the title is used by at least the Apache web server when a displaying directory listing. "backup" is an interesting name to see in a directory listing.

Especially one of the search results caught my attention. I clicked it and was a bit like "can this really be what it looks like?" Could it be a honeypot? If I were to leave some fake data on the Internet I would leave it just like that.

I clicked the files and took a quick peek. This was the real deal.

Security issues

The database backup of the web shop contained among other things the following information about all their customers - approximately 1,000 persons:
  • Full name
  • Full address
  • E-mail address
  • Phone number
  • Hashed password
  • Password salt
  • Browser version
  • Full purchase history

The website backup contained the source code and configuration of the full site. I don't think Acme5 could have much more to leak. At least the passwords were hashed with individual salt defending against pre-computed rainbow table attacks, but having the database the hashes would still be open against dictionary attacks and making it easier to brute force them.

Reception and handling 🔗

Day zero 🔗

I was a bit amazed with this finding and considered a second if this was a case for Troy Hunt and his service Have I Been Pwned. However, I ended up at just contacting the web shop by e-mail.

1.5 hour later I received a reply from the IT company Acme5 was using, thanking me for alerting them and asking for confirmation that I had deleted the files. They claimed to have web server access logs pre-dating the 3 months old backups and that the files were only downloaded once. I confirmed that I no longer had the files. They said they would "take the appropriate action in accordance Acme5's GDPR routines". And that was it.

Now, I have no idea if they did follow up the incident, if they reported anything to the Data Protection Authority or not. Maybe they felt like they didn't have to since they claimed that no one else had accessed the files.

Anonymous you say? 🔗

I have been in doubt if this is a case where the company should be named. I suppose this is the biggest leak where I haven't named the company. The reasons for not doing so are that Acme5 isn't that big, their IT vendor is a small company, and supposedly they can tell for sure that no one previously had accessed the data.

Conclusion 🔗

Technically it's incredible simple for a system administrator to do a mistake like this, but you just can't do it. (Sometimes you have to wonder if some leaks are intentional.)

As an IT company; please Google yourself. And please hire an external company to do penetration tests and regular security audits. And stay tuned for that blog post about Google hacking.

Get notified when there are new posts! :-)