The parent company of Chinese e-retailing giant Gearbest has been operating a completely unsecured corporate database, leaving roughly 1.5 million customer records unencrypted and exposed to the public, a new report warns.
Led by white-hat hacker Noam Rotem, researchers from VPNMentor revealed the security issue after discovering they were able to access Gearbest's customer, order, and billing/payment information. Exposed data includes names, shipping addresses, birth dates, phone numbers email addresses, IP addresses, national ID and passport information, account passwords and payment information.
"Gearbest's database isn't just unsecured. It's also providing potentially malicious agents with a constantly-updated supply of fresh data," states VPNMentor's online report. Gearbest reportedly uses an Elasticsearch database, which VPNMentor says "is ordinarily not designed for URL use. However, we were able to access it via [a] browser and manipulate the URL search criteria into exposing up to 10,000 schemata from a single index at any time."
Gearbest is owned by the Chinese conglomerate
Shenzhen Globalegrow E-Commerce Co., which also operates sites for brands like DressLily, Rosegal, Sammy Dress and Zaful. Data for these sister companies have similarly been left unsecured, the report asserts.
"We saw lots of sensitive information – including email addresses and passwords – that was completely unencrypted," states the report, noting that certain email addresses contained some hashing, perhaps as a "partially implemented security measure." Moreover, VPNMentor insists that a large amount of the personally identifiable data Gearbest has been obtaining from customers is not even necessary for an e-commerce retailer to collect.
VPNMentor says its researchers successfully managed to log into two Gearbest accounts that did not belong to them. Attackers could potentially do the same, the report warns, in order to spy on or manipulate orders and accounts, spend money using saved payment methods or even steal customer identities.
In some cases, exposed payment information included URL links pertaining to transactions completed via the voucher-based payment systems Oxxo and Boleto Bancario, which are used in Mexico and Brazil, respectively. These links contain transactional and banking information that attackers could leverage to impersonate users.
The researchers even found that they were able to access Globalegrow's Karka data management program. Adversaies who do the same could potentially disrupt company operations or manipulate data, the report explains.
VPNMentor says that it contacted both Globalgrow and Gearbest to disclose the issue, but has not received a response.
"...Companies are accelerating their use of technologies more than they're enabling their teams or hiring effective people, and that will be the downfall of utilizing servers like Elasticsearch," said Terry Ray, SVP and fellow at Imperva. "The use of modern data repositories can often provide cost savings, business intelligence, information sharing and increased technology scale, yet they also introduce complexities and requirements which often requires advanced enablement of technical staff before their use. It is yet another area in which technology and business needs are outpacing the expertise of technical staff, and this discrepancy is leading to simple security mistakes that simply shouldn’t happen."
While other companies have also erred using Elasticsearch servers, Brian Johnson, CEO and co-founder at DivvyCloud, said that this particular incident stands out because the wide spectrum of exposed data "could allow hackers to easily steal Gearbest’s customers’ identities by cross-referencing with other databases, and allow malicious actors access to online government portals, banking apps, health insurance records, and more Organizations like Gearbest must learn to be diligent in ensuring data is protected with proper security controls.