Unencrypted Gearbest database leaves over 1.5mil shoppers’ records exposed
Security researcher Noam Rotem has discovered a major security breach in the Shenzhen-based eCommerce site Gearbest.
The online shopping website ships goods to overs 250 countries and ranks in the top 100 websites in almost 30% of these regions, according to VPNMentor.
Rotem and his team of ethical hackers at VPNMentor found that the company uses an Elasticsearch database, which is ordinarily not designed for URL use.
They also reported being able to access over 1.5million records in different areas of Gearbest's unencrypted database, including:
- Orders database, including purchased products, shipping address and postcode, customer names, email addresses, and phone numbers
- Payments and invoices database including order number, payment type, payment information, email address, name, and IP address.
- Members database including name, address, date of birth, phone number, email address, IP address, national ID and password information, account passwords.
Using the leaked information, Rotem's team found they were able to log into Gearbest accounts and operate them with full user privileges, viewing current and past orders, accumulating Gearbest points, and changing account passwords and details.
In a worst-case scenario, VPNMentor's research found that by cross-referencing different databases, hackers can steal the identities of Gearbest customers.
Depending on the countries and information requirements, the data available can give hackers access to online government portals, banking apps, and health insurance records, to name a few.
After Rotem's findings were published, Gearbest posted a statement on its Facebook page responding to VPNMentor.
"Some of the external tools we use to temporarily store data may have been accessed by others and therefore data security may have been compromised.
"Our investigation reveals that on March 19, 2019, … firewalls were mistakenly taken down by one of our security team members for reasons still being [sic] under investigation. Such unprotected status has directly exposed those tools for scanning and accessing without further authentication.
Gearbest said in the statement that the breach may affect 280,000 newly registered customers and customers who placed orders with Gearbest between March 1, 2019, and March 15, 2019.
It also says the data leak has been fixed two hours after detection.
"We will further strengthen our internal security management to avoid such incidents from happening again.
Gearbest says it also taking measures to deactivate the passwords of the compromised to prevent credential abuse and will notify affected customers via email.
The full VPNMentor report is on its website.
What cybersecurity experts have to sayDigital Guardian cloud services security architect Naaman Hart
The most shocking thing about this is the complete mistruth that was told to customers of Gearbest.
Data-at-rest encryption was the promise and it doesn't appear to have been the case at all.
While breaches can be seen as almost unavoidable these days, encryption of the data stolen should be a given, especially given the sensitivity of the data Gearbest stored.
Worryingly it's not just the usual names, addresses, passwords and emails; the data includes passport details and national IDs.
Gearbest don't appear to have shown any care in segregating information, that while it's all personal, it's not equal.
The data was linked so easily together that a complete profile of someone could be built that exposes the individual to identity fraud.
There are many other risks that could now befall the individual customer and trying to fix this problem by invalidating their data by requesting new passports and national IDs is not only difficult, it's sometimes impossible.
Gearbest's customers may have to accept that they've forever exposed to additional risk thanks to the mismanagement of their data.
It appears that Gearbest failed on two counts of poor configuration.
First, they failed to protect a 'big data' Elasticsearch setup and secondly, they failed to encrypt any of that data.
Both of these are configuration and best practice problems and frankly, there's little excuse for not implementing them correctly.
Ultimately if you can't trust a company to get the basics right, definitely don't trust them to keep you and your data safe.
Bitglass CTO Anurag Kahol
It's concerning when it takes an organisation months, or even years, to recognise that a misconfigured server has enabled a breach or a leak.
As a global eCommerce provider that ships to over 250 countries and territories, ranks in the top 100 websites in almost 30 percent of said regions, and has subdomains in 18 different languages, Gearbest must adopt a flexible security platform that proactively detects and responds to new threats as they arise.
Allowing a server to remain misconfigured for a prolonged period of time increases the odds that a malicious actor can find it and exploit the information therein for their own purposes.
Throughout 2018 and 2019, misconfigurations have grown in popularity as an attack vector across all industries.
This highlights the reality that organisations are struggling with limited IT resources and, consequently, are susceptible to careless and reckless mistakes like misconfigurations.
As such, companies must turn to flexible and cost-effective solutions that can help them to defend against data leakage.
For example, cloud access security brokers (CASBs) provide cloud security posture management (CSPM), data loss prevention (DLP), user and entity behaviour analytics (UEBA), and other capabilities that can give an organisation confidence that its data is truly safe.