The parent company of Chinese e-retailing giant Gearbest has been operating a completely unsecured corporate database, leaving roughly 1.5 million customer records unencrypted and exposed to the public, a new report warns.
Led by white-hat hacker Noam Rotem, researchers from VPNMentor revealed the security issue after discovering they were able to access Gearbest's customer, order, and billing/payment information. Exposed data includes names, shipping addresses, birth dates, phone numbers email addresses, IP addresses, national ID and passport information, account passwords and payment information.
"Gearbest's database isn't just unsecured. It's also providing potentially malicious agents with a constantly-updated supply of fresh data," states VPNMentor's online report. Gearbest reportedly uses an Elasticsearch database, which VPNMentor says "is ordinarily not designed for URL use. However, we were able to access it via [a] browser and manipulate the URL search criteria into exposing up to 10,000 schemata from a single index at any time."
Please register to continue.
Already registered? Log in.
Once you register, you'll receive:
The context and insight you need to stay abreast of the most important developments in cybersecurity. CISO and practitioner perspectives; strategy and tactics; solutions and innovation; policy and regulation.
Unlimited access to nearly 20 years of SC Media industry analysis and news-you-can-use.
SC Media’s essential morning briefing for cybersecurity professionals.
One-click access to our extensive program of virtual events, with convenient calendar reminders and ability to earn CISSP credits.