Sensitive private and financial information of hundreds of Credit Card users were discovered to be stored in a database that lay unsecured. The researchers running a simple scanning program discovered a database exposed on the Internet owned by Fieldwork Software. Shockingly, the data contained extensive financial details belonging to business clients. In addition to the Credit Card details, other highly sensitive information such as associated names, GPS tags, and even communication between the client and the service provider could be potentially accessed and exploited. The troubling aspect is that the scanning projects that exposed the leaky database is rather easy to deploy and is being increasingly used by professional hacking groups to exploit financial information or plant malware.
Researchers working for vpnMentor cybersecurity who uncovered the seemingly exposed database of Fieldwork Software offered their discoveries through a blog post. The team, comprising of Noam Rotem and Ran Locar indicated that about 26 GB of data remained exposed. It is clear that the database wasn’t intentionally left exposed. However, the discovery does expose the dangers of financial information remaining exploitable to any group of programmers who know where to look or initiate a random hunt for severs or databases that haven’t been properly secured. Interestingly, the size of the data may not be big, but, the nature of the information can be potentially exploited to launch several massive digital financial heists.
Unprotected Elasticsearch database exposes 2 billion user records from smart home devices: Security researchers, Noam Rotem and Ran Locar, from vpnMentor recently revealed in their report, that a Shenzhen-based Chinese IoT management platform company,… https://t.co/a9eqEqTFt6 pic.twitter.com/AyQ8QPrVli
— CS Threat Intel (@cipherstorm) July 5, 2019
Anstar-owned Fieldwork Software Had a Leaky Database Which Was Secured With Poor Security Protocols
vpnMentor cybersecurity researchers discovered the exposed and essentially secured with poor security protocols during a web scanning project. The company’s ongoing project essentially sniffs around on the internet looking for ports. These ports are essentially gateways to databases that are commonly stored on servers. The project is part of an initiative to hunt for and discover ports that are accidentally or inadvertently left open or unsecured. Such ports can be easily exploited to scrap or collect data.
On several occasions, such ports have become the source of the leak for accidental public disclosure of sensitive, corporate data. Moreover, several enterprising groups of hackers often carefully sift through the data and look for more potential routes to exploit. Email IDs, phone numbers and other personal details are often used to launch attacks that rely on Social engineering. Seemingly authenticate emails and phone calls have been used in the past to get victims to open emails and malicious attachments.
Sensitive customer data leaked: Our ethical hackers found an open database of Fieldwork, SMB software provider, containing end-user credit card numbers, addresses and even alarm codes and passwords >> https://t.co/NluDR1wVLF#databreach pic.twitter.com/ecrYw6Gzht
— vpnMentor (@vpnmentor) July 8, 2019
Fieldwork Software is essentially a platform that is meant for Small and Medium Businesses (SMBs). The Anstar-owned company’s further narrowed-down target market is SMBs that offer services at door-step of customers. SMBs offering home services need a lot of information and tracking tools to ensure optimum Customer Service Management and Customer Relationship Management. Fieldwork’s platform is mostly cloud-based. The solution offers companies to track their employees who make house calls. This helps in establishing and maintaining CRM records. Additionally, the platform offers several more client servicing features including scheduling, invoicing, and payment systems.
The exposed database contained financial and personal information of Fieldwork Software’s business clients. Incidentally, at 26 GB, the size of the database appears quite small. However, the database reportedly included customer names, addresses, phone numbers, emails and communication sent between users and clients. Shockingly this was just a part of the database. Other components that remained exposed included instructions sent to servicing employees and the photos of the work sites that the employees took for records.
If that’s not bad enough, the database also included sensitive personal information of the clients’ physical locations. The information reportedly included GPS locations of clients, IP addresses, billing details, signatures, and full credit card details — including card number, expiration date, and CVV security code.
While the clients’ information was exposed, Fieldwork Software’s own platform remained vulnerable as well. This is because the database also included automatic login links used to access the Fieldwork service portal. In simple words, the digital keys to the platform’s backend system and administration were also present in the database. Needless to say, malicious or enterprising hacker could easily penetrate Fieldwork’s core platform without much difficulty. Moreover, once inside, a hacker could easily disrupt the platform and cause it to lose its reputation, cautioned vpnMentor cybersecurity’s researchers,
“Access to the portal is a particularly dangerous piece of information. A bad actor can take advantage of that access not just by using the detailed client and administrative records stored there. They could also lock the company out of the account by making backend changes.”
Fieldwork Software Acts Swiftly And Plugs Breach:
vpnMentor cybersecurity’s researchers categorically noted that Fieldwork Software acted very swiftly and plugged the security breach. Essentially, vpnMentor disclosed the existence of the leaking database to Fieldwork prior to public disclosure, and the latter closed the leak within 20 minutes of receiving the researchers’ email.
Thanks for your report. Just update this issue status: vpnMentor has confirmed that ORVIBO secured the database system and they also updated related article. Please help update it in https://t.co/8VeYYYwWnd. Thanks pic.twitter.com/gGo1uadG3M
— ORVIBO (@ORVIBO) July 4, 2019
Still, for an undisclosed amount of time, Fieldwork Software’s entire platform, its client database, and its clients as well, were at high risk of penetration and exploitation. What’s concerning is that the database contained not only sensitive digital information, but also contained information about real-world or physical locations. According to the researchers who conducted the research, the database contained “appointment times and instructions for accessing buildings including alarm codes, lockbox codes, passwords, and descriptions of where keys were hidden.” Granted such records were purged after 30 days of being created, but still, hackers could potentially organize attacks on physical locations with such information. Knowing locations of keys and access codes would allow attackers to easily penetrate security without resorting to violence or force.
Fieldwork Software’s swift action is commendable especially because notification of data breaches is often met with severe criticism, denial, and counter-accusations of corporate sabotage. More often than not, companies take their own sweet time to plug the security holes. There have been quite a few instances wherein companies have outright denied the existence of exposed or unsecured databases. Hence it is heartening to see companies taking quick cognisance of the situation and acting swiftly.