Detalhes pessoais de aproximadamente 700.000 clientes da American Express (Amex Índia) na Índia foram expostos on-line através de um servidor MongoDB não seguro.
A enorme quantidade de dados foi descoberta por Bob Diachenko da empresa de segurança Hacken. A maioria dos registos estava cifrados, mas 689.272 registos estavam disponíveis em texto simples.
O especialista localizou a base de dados usando o Shodan e BinaryEdge.io.
“On 23rd October I discovered an unprotected Mongo DB which allowed millions of records to be viewed, edited and accessed by anybody who might have discovered this vulnerability. The records appeared to be from an American Express branch in India.” states the blog post published by Diachenko.
689.272 registos em plain-text incluíam detalhes pessoais dos números de telefone, nomes, endereços de e-mail e campos de descrição com outras informações dos clientes da Amex India.
O ficheiro incluiu 2.332.115 registos que continham dados cifrados (por exemplo, nomes, endereços, números de Aadhaar, números de cartões PAN e números de telefone).
Seems like @AmexIndia exposed its #MongoDB for a while, with some really sensitive data (base64 encrypted). Now secured (just when I was preparing responsible disclosure), but question remains how long it was open. Found with @binaryedgeio engine. pic.twitter.com/3kbXaS4cIz
— Bob Diachenko (@MayhemDayOne) October 25, 2018
“Upon closer examination, I am inclined to believe that the database was not managed by AmEx itself but instead by one their subcontractors who were responsible for SEO or lead generation. I came to this conclusion since many of the entries contained fields such as ‘campaignID’, ‘prequalstatus’ and ‘leadID’ etc.” added Diachenko.
Diachenko comunicou prontamente as suas descobertas à Amex India, que imediatamente deixou indisponível o servidor. No momento em que este artigo foi escrito não está claro quanto tempo o servidor permaneceu exposto on-line, a Amex India, que investigou o caso, declarou que não descobriu nenhuma “evidência de acesso não autorizado”.
“We applaud AmEx’s rapid response to this issue, noting they immediately took down that server upon notification and began further investigations.” Diachenko concluded.
“As we learned from this incident, one never knows when transient firewall rules may inadvertently expose your development machines to the public. In this case, it appears to have only exposed some long-lost personal information of an unknown number of AmEx India customers, but for others, it could be critical intellectual property or even your entire subscriber base that is at risk of being exposed.”
Pedro Tavares is a professional in the field of information security working as an Ethical Hacker/Pentester, Malware Researcher and also a Security Evangelist. He is also a founding member at CSIRT.UBI and Editor-in-Chief of the security computer blog seguranca-informatica.pt.
In recent years he has invested in the field of information security, exploring and analyzing a wide range of topics, such as pentesting (Kali Linux), malware, exploitation, hacking, IoT and security in Active Directory networks. He is also Freelance Writer (Infosec. Resources Institute and Cyber Defense Magazine) and developer of the 0xSI_f33d – a feed that compiles phishing and malware campaigns targeting Portuguese citizens.
Read more here.