[BreachExchange] Real estate app leaking thousands of user records and sensitive private messages

Destry Winant destry at riskbasedsecurity.com
Fri May 29 10:31:18 EDT 2020 

https://securityaffairs.co/wordpress/103846/breaking-news/real-estate-app-data-leak.html

Real estate app leaking thousands of user records and sensitive private
messages

The CyberNews research team uncovered an unsecured Amazon Simple Storage
Service bucket of confidential user chat logs belonging to Real estate app
Tellus, a US-based software company.

Tellus is a software company based in Palo Alto, California, backed by
“well-known investors” that aims to “reimagine Real Estate for the modern
era.” The company’s app portfolio includes the Tellus App, a real estate
loan, management and investing program. Its target users are American
landlords and tenants who can receive and pay rent money, as well as keep
all of their ownership and rent related data like rental listings, personal
information, and correspondence between tenants and landlords in one place.

The data bucket in question contains a folder with 6,729 CSV files related
to the Tellus app that include the app’s user records, chat logs, and
transaction records left on a publicly accessible Amazon storage server.

How we found the Tellus app bucket

We discovered the exposed data by scanning through open Amazon Simple
Storage Service (S3) buckets, which are online servers that can be used to
store data for websites, apps, archives, IoT devices, and more.

Amazon S3 buckets are also known for being challenging to secure, leaving
many servers unprotected – and often in the news.

We identified Tellus as the owner of the database and notified the company
about the leak. As of May 15, the data bucket security issue has been fixed
by the Tellus security team and the data is no longer accessible.

What’s in the data bucket?

The unsecured and unencrypted Amazon S3 bucket contains, among other things:


   - 16,861 user records, including 3,194 verified property owner records
   and 1,294 verified tenant records stored in separate files
   - Chat logs of private messages between thousands of Tellus platform
   users, including landlords, tenants, building managers, investors, and
   Tellus support staff between early 2018 and January 2020
   - Tens of thousands of timestamped property owner transaction records
   - Detailed tenant lead and payment records, including transaction
   metadata


All of this data is conveniently stored in spreadsheet format that can be
easily opened, read, and downloaded by anyone who knows what to look for.

The exposed user records contain:


   - Full names of users, including verified tenants and property owners
   - Traceable user IDs used in transaction records and other logs
   - Email addresses
   - Phone numbers


Example of leaked user records:

The private messages in the chat logs and tenant lead files contain not
only the texts of the conversations themselves, but also deeply sensitive
content attached therein, including:


   - Full names of the parties involved in the conversation
   - Rent amounts and dates when they are due
   - Tenants’ rented home addresses
   - Case charges and court dates
   - Tenant document scans
   - Screenshots of sensitive images, including other conversations on
   social media



This means that, in the worst-case scenario, leaving the Tellus S3 bucket
unsecured and unencrypted might have led to the continued exposure of data
belonging to the entire Tellus user base over a period of up to two years,
from 2018 to 2020.

Who had access?

The exposed data was hosted on an Amazon Simple Storage Service (S3) server
and located in the US. It is currently unknown for how long the data was
left unprotected, and we assume that anyone who knew what to look for could
have accessed the data bucket without needing any kind of authentication
during the unspecified exposure period.

With that said, it is unclear if any malicious actors have accessed the
unsecured data bucket until it was closed by Tellus.

What’s the impact?

While numbers-wise this might not appear like a major leak, the impact on
the nearly 17,000 Americans whose records were exposed could be significant
if certain data was made publicly available.

Here’s how attackers might use the information found in the Tellus S3
bucket against the exposed users:


   - Blackmailing both tenants and landlords by threatening to publicize
   the sensitive content found in their private messages and transaction logs
   - Using the information found in private messages to mount targeted
   phishing attacks, hack online bank accounts, and engage in identity theft
   - Spamming emails and phones
   - Brute-forcing the passwords of the email addresses
   - Brute-forcing the passwords of the Tellus accounts and stealing the
   funds therein
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20200529/cddc1351/attachment.html>

More information about the BreachExchange mailing list