[BreachExchange] Credit Card Details Including Personal Information, IP Addresses, And Other Communication Found Exposed Of Fieldwork Software
Destry Winant
destry at riskbasedsecurity.com
Wed Jul 10 09:46:52 EDT 2019
https://appuals.com/credit-card-details-including-personal-information-ip-addresses-and-other-communication-found-exposed-of-fieldwork-software/
Sensitive private and financial information of hundreds of Credit Card
users were discovered to be stored in a database that lay unsecured.
The researchers running a simple scanning program discovered a
database exposed on the Internet owned by Fieldwork Software.
Shockingly, the data contained extensive financial details belonging
to business clients. In addition to the Credit Card details, other
highly sensitive information such as associated names, GPS tags, and
even communication between the client and the service provider could
be potentially accessed and exploited. The troubling aspect is that
the scanning projects that exposed the leaky database is rather easy
to deploy and is being increasingly used by professional hacking
groups to exploit financial information or plant malware.
Researchers working for vpnMentor cybersecurity who uncovered the
seemingly exposed database of Fieldwork Software offered their
discoveries through a blog post. The team, comprising of Noam Rotem
and Ran Locar indicated that about 26 GB of data remained exposed. It
is clear that the database wasn’t intentionally left exposed. However,
the discovery does expose the dangers of financial information
remaining exploitable to any group of programmers who know where to
look or initiate a random hunt for severs or databases that haven’t
been properly secured. Interestingly, the size of the data may not be
big, but, the nature of the information can be potentially exploited
to launch several massive digital financial heists.
Anstar-owned Fieldwork Software Had a Leaky Database Which Was Secured
With Poor Security Protocols
vpnMentor cybersecurity researchers discovered the exposed and
essentially secured with poor security protocols during a web scanning
project. The company’s ongoing project essentially sniffs around on
the internet looking for ports. These ports are essentially gateways
to databases that are commonly stored on servers. The project is part
of an initiative to hunt for and discover ports that are accidentally
or inadvertently left open or unsecured. Such ports can be easily
exploited to scrap or collect data.
On several occasions, such ports have become the source of the leak
for accidental public disclosure of sensitive, corporate data.
Moreover, several enterprising groups of hackers often carefully sift
through the data and look for more potential routes to exploit. Email
IDs, phone numbers and other personal details are often used to launch
attacks that rely on Social engineering. Seemingly authenticate emails
and phone calls have been used in the past to get victims to open
emails and malicious attachments.
Fieldwork Software is essentially a platform that is meant for Small
and Medium Businesses (SMBs). The Anstar-owned company’s further
narrowed-down target market is SMBs that offer services at door-step
of customers. SMBs offering home services need a lot of information
and tracking tools to ensure optimum Customer Service Management and
Customer Relationship Management. Fieldwork’s platform is mostly
cloud-based. The solution offers companies to track their employees
who make house calls. This helps in establishing and maintaining CRM
records. Additionally, the platform offers several more client
servicing features including scheduling, invoicing, and payment
systems.
The exposed database contained financial and personal information of
Fieldwork Software’s business clients. Incidentally, at 26 GB, the
size of the database appears quite small. However, the database
reportedly included customer names, addresses, phone numbers, emails
and communication sent between users and clients. Shockingly this was
just a part of the database. Other components that remained exposed
included instructions sent to servicing employees and the photos of
the work sites that the employees took for records.
If that’s not bad enough, the database also included sensitive
personal information of the clients’ physical locations. The
information reportedly included GPS locations of clients, IP
addresses, billing details, signatures, and full credit card details —
including card number, expiration date, and CVV security code.
While the clients’ information was exposed, Fieldwork Software’s own
platform remained vulnerable as well. This is because the database
also included automatic login links used to access the Fieldwork
service portal. In simple words, the digital keys to the platform’s
backend system and administration were also present in the database.
Needless to say, malicious or enterprising hacker could easily
penetrate Fieldwork’s core platform without much difficulty. Moreover,
once inside, a hacker could easily disrupt the platform and cause it
to lose its reputation, cautioned vpnMentor cybersecurity’s
researchers,
“Access to the portal is a particularly dangerous piece of
information. A bad actor can take advantage of that access not just by
using the detailed client and administrative records stored there.
They could also lock the company out of the account by making backend
changes.”
Fieldwork Software Acts Swiftly And Plugs Breach:
vpnMentor cybersecurity’s researchers categorically noted that
Fieldwork Software acted very swiftly and plugged the security breach.
Essentially, vpnMentor disclosed the existence of the leaking database
to Fieldwork prior to public disclosure, and the latter closed the
leak within 20 minutes of receiving the researchers’ email.
Still, for an undisclosed amount of time, Fieldwork Software’s entire
platform, its client database, and its clients as well, were at high
risk of penetration and exploitation. What’s concerning is that the
database contained not only sensitive digital information, but also
contained information about real-world or physical locations.
According to the researchers who conducted the research, the database
contained “appointment times and instructions for accessing buildings
including alarm codes, lockbox codes, passwords, and descriptions of
where keys were hidden.” Granted such records were purged after 30
days of being created, but still, hackers could potentially organize
attacks on physical locations with such information. Knowing locations
of keys and access codes would allow attackers to easily penetrate
security without resorting to violence or force.
Fieldwork Software’s swift action is commendable especially because
notification of data breaches is often met with severe criticism,
denial, and counter-accusations of corporate sabotage. More often than
not, companies take their own sweet time to plug the security holes.
There have been quite a few instances wherein companies have outright
denied the existence of exposed or unsecured databases. Hence it is
heartening to see companies taking quick cognisance of the situation
and acting swiftly.
More information about the BreachExchange
mailing list