

























It is a common practice to make ad-hoc backups during store platform maintenance. The problem, however, is that these backups often end up in a public folder. Perhaps the administrator intended to remove it after the maintenance, but forgot about it? Few people would admit it, but these mistakes are extremely common, as Sansec research now shows. It is the first time a quantitative study reveals the large scope of this problem: more than 12% of stores risk getting hacked because of a small human error.

A sample of the dozens of exposed private archives that we found
Sansec analysed online stores of various sizes (n=2037). On 250 stores, we found archives (such as ZIP, SQL, and TAR files) in the public web folder without access restrictions. These backups appear to contain database passwords, secret administrator URL, secret API keys, and full customer data (PII).

An example of a database backup containing customer order data
How easy is it for an attacker to discover such backups? Unfortunately, easier than you may think. We have observed automated attacks against online stores, where thousands of possible backup names are tried over the course of multiple weeks. The attack includes clever permutations based on the site name and public DNS data, such as /db/staging-SITENAME.zip. Because these probes are very cheap to run and do not affect the target store performance, they can essentially go on forever until a backup has been found.
Sansec found multiple attack patterns from dozens of source IPs, suggesting that multiple actors are working to exploit this vulnerability.

A brute force probe for sensitive data by 91.229.239.182
And what if an attacker manages to download a private backup? They typically contain the secret administrator URL of a store, plus the password for the master database, plus hashed passwords for staff accounts. In many cases, these secrets are enough to gain administrator access.
Hopefully not, but it cannot hurt to check your store for any backups in public folders. For any found files, test whether they are accessible via your public store URL. If your backups were accidentally exposed for a period of time, you should investigate your store for any signs of a compromise.
Apart from not making ad-hoc backups at all, here are several effective strategies that will prevent future leaking of private backups.

Do you want to improve the security of your online store today for free? Get a copy of eComscan here and use the SECUREBACKUP coupon (first month free, no strings attached).
NB. Naturally, Sansec did not download any of the backups. We have reached out to merchants to verify our findings.
此内容由惯性聚合(RSS阅读器)自动聚合整理,仅供阅读参考。 原文来自 — 版权归原作者所有。