A common practice among online store platforms to make backups during maintenance may leak sensitive information that cybercriminals could then use to their advantage, according to a new report.
A Feb. 7 report by Sansec, an eCommerce security firm, found that 1 in 9 online stores (or 12%) accidentally expose backups during platform maintenance in public folders without access restrictions.
The firm analyzed 2,037 online stores and found 250 archives in public folders containing database passwords, secret administrator URLs, secret API keys and full customer data. In many cases, an attacker could use the secrets found in the public folders to gain administrator access.
Cybercriminals actively scan for the backups, and Sansec researchers said they have observed automated attacks against online stores where thousands of possible backup names are tried over the course of multiple weeks. Since the probes are cheap to undertake and don’t affect the performance of the site, “they can essentially go on forever until a backup has been found.”
“Sansec found multiple attack patterns from dozens of source IPs, suggesting that multiple actors are working to exploit this vulnerability,” the researchers wrote.
Besides not making ad-hoc backups, the Sansec researchers recommended online stores schedule frequent backups and restrict access to archive files. If an organization accidentally exposed backups, the researchers suggested organizations investigate their stores for signs of compromise, such as unauthorized admin accounts and to change all relevant passwords.