Dodo Point Records has revealed more than a million customer records online. Data stored in an unencrypted bucket can be accessed without any kind of authentication.
According to Website Planet’s security team, a recent incident affected the Dodo Point loyalty service platform and resulted in a lot of personal data being exposed.
Dodo Point is operated by Yanolja Cloud in South Korea. The service is based on the user’s phone number. Customers enter their phone number into the restaurant or store via a tablet (Picture A) and then credited their reward.
Picture A
An Amazon bucket the company uses is unsecured: No authentication protocols are implemented and no data encryption is used on-memory, resulting in about 73,000 files being exposed, accounting for over 38 GB of data.
Amazon is not responsible for the misconfiguration of a Dodo Point team, as team security is the responsibility of Amazon customers.
UNDERSTAND: Password Breach: Why Pop Culture and Passwords Don’t Go Together (Free PDF) (TechRepublic)
The investigation based on the number of customer records exposed in the Excel file and the calculation of duplicate entries led researchers to estimate at least one million customer records were leaked in the breach.
According to the company’s website, giant multinational brands including Nike and Marriott use Dodo Point.
The display section contains the user’s name, date of birth, gender, phone number, email address, shops visited and possibly more (Figure BUG).
Figure BUG
Less than 1,000 bank transfer and direct debit details were also found in the database. All this data can allow anyone to do profiling of the habits of particular users.
Incident reporting doesn’t work
The researchers who found the compromised data first tried to contact Spoqa, a company that Dodo Point was affiliated with at the time the data was discovered. After receiving no response, they contacted the Korea Computer Emergency Response Team. Again, they had no answer. The researchers tried to reach new contacts at Spoqa and disclosed the incident to Amazon Web Services, both of which did not respond.
Eventually, Yanolja became the new owner of Dodo Point and was contactable. The company responded immediately to the researchers, and two days later, the Amazon crate was secured.
While changing ownership of a Dodo Point can make things more difficult, computer security issues should always be addressed, regardless of the context.
Similar online exposure
Researchers from Website Planet run an extensive web mapping project. As part of this project, they use web scanners to identify unsafe data stores on the Internet before analyzing and reporting these stores to affected companies to secure them. and raise awareness of the dangers of such exposure.
Recently, TechRepublic has written about thousands of Elasticsearch database is not secure and exposed held for ransom.
In 2017, 27,000 MongoDB servers were attacked by similar attack. In 2018, an insecure database belonged to an e-marketing company Exposed 11 million records.
Such exposure incidents happen quite often and it is not difficult for an attacker to use online scanning tools to search such databases and uncover exposed data that is not encrypted or secured. protected by any authentication process.
These data disclosure incidents can lead to the exploitation of personal data for cybercriminals: An attacker can impersonate an individual or use their information to target them with phishing tricks. specific island or social engineering. Some threat actors may also collect information that can be used for cyber espionage purposes.
How to improve crash reporting speed
The case presented here again shows that troubleshooting can only be effective when researchers can immediately reach the right people in a company. As people change jobs, it can be difficult to reach an individual as needed, but solutions exist.
Using a dedicated email address for security issues may be the best solution. In April 2022, the Internet Engineering Task Force published RFC 9116this entices companies to use a file called security.txt which will be stored in clear text and accessible via the web worldwide to anyone at the root of each site or within folder named .well-known.
Google, Meta, and GitHub have used this file to provide a security contact for any researchers who might want to contact them to report a security incident. The security.txt . website offers to help companies create their security.txt file and provide more information about the project.
How to protect from such a threat
Companies should never expose a database to the Internet unless it is absolutely necessary. If necessary, secure authentication mechanisms such as multi-factor authentication should be implemented.
Role-based access control should be set and assign appropriate privileges to every user. The data stored in such a database must be encrypted so that even if an attacker manages to access the data, it can be useless against them.
Disclosure: I work for Trend Micro, but the views expressed in this article are mine.
