AdminFreshBooks, a Canadian start-up building cloud-based accounting software, kept an Amazon Web Services (AWS) storage bucket storing confidential employee data without protection online, available to anyone who knew where to look, experts said.
As a result, more than 30 million of its users in more than 160 countries around the world have been exposed to the risk of identity theft and other cybercrime, perhaps not directly, but through a more targeted attack using the data obtained.
The warning was issued by cybernews (opens in a new tab) the research team that first discovered the database in late January 2023.
Easily cracked passwords
At first glance, he stored images and metadata for his blog, but deeper analysis revealed backups of the site’s source code, as well as site information, configurations, and login details for 121 WordPress (opens in a new tab) users. Login details – usernames, email addresses and hashing passwords – belonged to the site’s administrators. The researchers said they were encrypted using the “easy to crack” MD5/phpass hash mechanism, suggesting that it was relatively easy to obtain the information in plain text.
The Cybernews team claims that this information allowed cybercriminals to gain access to the website’s backend and make unauthorized changes to its content. They could analyze the source code, understand how the site works, and find other vulnerabilities that could be sold or exploited. In fact, the 2019 server backup contained “at least five” vulnerable plugins that were installed on the site at the time, researchers found.
In an even more dangerous scenario, they could install malware, move sideways on the network and steal sensitive data.
However, there is a caveat to exploiting this vulnerability: “The site’s admin login page was secure and not accessible to the public,” the researchers explain. “However, attackers can still bypass this security measure by connecting to the same network as the website or by finding and exploiting a vulnerable WordPress plugin.”
By: cybernews (opens in a new tab)
