Welcome to WebmasterWorld Guest from 54.159.51.118

Forum Moderators: open

SMS Database Leak, Including Two-Factor Codes

     
4:30 pm on Nov 16, 2018 (gmt 0)

Administrator from GB 

WebmasterWorld Administrator engine is a WebmasterWorld Top Contributor of All Time 10+ Year Member Top Contributors Of The Month

joined:May 9, 2000
posts:25722
votes: 821


According to a researcher, tens of millions of text messages, including password reset links, two-factor codes, shipping notifications was sitting on an exposed server which wasn't protected by a password.

Worse, the database — running on Amazon’s Elasticsearch — was configured with a Kibana front-end, making the data within easily readable, browsable and searchable for names, cell numbers and the contents of the text messages themselves.

[techcrunch.com...]

The database is now offline, so that's ok, right! ;)
5:43 pm on Nov 16, 2018 (gmt 0)

Preferred Member

Top Contributors Of The Month

joined:Sept 13, 2018
posts: 355
votes: 66


server which wasn't protected by a password

I don't password protect my servers either ... just use ssh with private key, and only allowing my static IP, I guess they were not doing this either :)
5:55 pm on Nov 16, 2018 (gmt 0)

Senior Member from GB 

WebmasterWorld Senior Member brotherhood_of_lan is a WebmasterWorld Top Contributor of All Time 10+ Year Member Top Contributors Of The Month

joined:Jan 30, 2002
posts:4959
votes: 38


There's programs that walk up and down the likes of Amazon's servers/ips/ports because it seems to be a gravitational centre for these kinds of mistakes.

apt get install ignorance
6:00 pm on Nov 16, 2018 (gmt 0)

Preferred Member

Top Contributors Of The Month

joined:Sept 13, 2018
posts: 355
votes: 66


apt get install ignorance

:)
6:58 pm on Nov 16, 2018 (gmt 0)

Senior Member from GB 

WebmasterWorld Senior Member 10+ Year Member Top Contributors Of The Month

joined:Nov 16, 2005
posts:2830
votes: 143


@justpassing, a server login was not needed, they had a web ui for the database publicly accessible and not requiring passwords. The article seems a bit confused. Elasticsearch has nothing to do with Amazon (You can run it on AWS, but I think the journo has confused it with AWS products with "Elastic" in the name)