A web shop left their backup of all shopping data and their site in a publicly available directory - indexed by Google.
|Published:||Mon, March 11, 2019, 06:40|
OWASP 2017 A3
OWASP 2017 A6
An e-commerce site had misconfigured their site which led to their backup of their entire site + database with all shopping and personal data to be available on the Internet. And you could find it with a simple Google search.
|Who:||Anonymous, let's call them Acme5|
|Reception and handling:||Very good|
|Reward:||A thank you|
|Issue:||Website backup and database backup accessible by a simple Google search|
Acme5 is a Norwegian physical specialist store that also have an online web store.
I briefly mentioned this case in the presentation I gave in October 2018 at the security conference Sikkerhetssymposiet, but I never got around to writing about it. I have been wanting to do one or more write-ups on Google dorking, that is, how to use Google to find security vulnerabilities. A good starting point for checking your own security is googling yourself. There are just endless and endless of vulnerabilities and secret stuff indexed by Google available for anyone using a simple Google search. While doing research for this kind of write-up I found the issue presented here.
intitle:"index of" intext:backup. "Index of" in the title is used by at least the Apache web server when a displaying directory listing. "backup" is an interesting name to see in a directory listing.
Especially one of the search results caught my attention. I clicked it and was a bit like "can this really be what it looks like?" Could it be a honeypot? If I were to leave some fake data on the Internet I would leave it just like that.
I clicked the files and took a quick peek. This was the real deal.
The website backup contained the source code and configuration of the full site. I don't think Acme5 could have much more to leak. At least the passwords were hashed with individual salt defending against pre-computed rainbow table attacks, but having the database the hashes would still be open against dictionary attacks and making it easier to brute force them.
1.5 hour later I received a reply from the IT company Acme5 was using, thanking me for alerting them and asking for confirmation that I had deleted the files. They claimed to have web server access logs pre-dating the 3 months old backups and that the files were only downloaded once. I confirmed that I no longer had the files. They said they would "take the appropriate action in accordance Acme5's GDPR routines". And that was it.
Now, I have no idea if they did follow up the incident, if they reported anything to the Data Protection Authority or not. Maybe they felt like they didn't have to since they claimed that no one else had accessed the files.
I have been in doubt if this is a case where the company should be named. I suppose this is the biggest leak where I haven't named the company. The reasons for not doing so are that Acme5 isn't that big, their IT vendor is a small company, and supposedly they can tell for sure that no one previously had accessed the data.
Technically it's incredible simple for a system administrator to do a mistake like this, but you just can't do it. (Sometimes you have to wonder if some leaks are intentional.)
As an IT company; please Google yourself. And please hire an external company to do penetration tests and regular security audits. And stay tuned for that blog post about Google hacking.