Unveiling the Risk: How a Major Company Exposed Sensitive Customer Data

In the world of cybersecurity, it’s not uncommon to stumble upon vulnerabilities that can have far-reaching consequences. Today, I’m sharing a story about one of the biggest companies in the industry that unknowingly exposed sensitive customer data through an internal CMS portal. This portal contained critical information, including personally identifiable information (PII) and details about gold purchases made by their clients.

The twist? Despite my efforts to report this issue, the company’s lack of a responsible disclosure program made it an uphill battle to get this vulnerability addressed.

The Discovery: A Simple Invoice Link Leads to a Treasure Trove

It all started innocently enough. After purchasing some gold from the company’s store, I received a message containing a link to download the invoice.

The link seemed straightforward, but there was one glaring issue—there was no authentication required to access it. Anyone with the link could download the invoice.

This piqued my curiosity. What else could be lurking behind unsecured links? I began to explore further, testing the waters to see how deep this rabbit hole went.

Unearthing the Internal CMS Portal

As I dug deeper, I decided to scan the URL to see what other services might be exposed. My persistence paid off when I found an open port, 8080, on the endpoint. And there it was—an internal portal running on an old IIS 8 server.

This wasn’t just any portal; it was a critical part of the company’s infrastructure, allowing access to sensitive customer data.

The portal was a simple ASP-based application with four fields for searching user data by Mobile Number, Loyalty Number, Name, and ULP ID. With this, I could search for and view the personal details of anyone who had purchased gold from the company. This wasn’t just a minor oversight; it was a significant breach of customer privacy and trust.

The Challenge: Reporting the Vulnerability

Recognizing the severity of this issue, I tried to contact the company’s customers and even reached out to several employees on LinkedIn. But my messages went unanswered. Frustrated by the lack of response, I took to Twitter, hoping to catch the attention of someone within the company.

Finally, after multiple attempts, an internal employee reached out and acknowledged the vulnerability.

The employee quickly mitigated the issue, but when I asked for permission to publish a blog post about the vulnerability, I was met with resistance. The company was concerned that publicizing the issue would negatively impact their sales. As a result, I was asked to mask all identifying information and not disclose the company’s name.

Lessons Learned: Never Expose Unnecessary Ports

This experience serves as a crucial reminder for companies: never expose any ports beyond those necessary for the application’s functionality. Unsecured ports can be a gateway for attackers to access sensitive systems, as was the case here.

As part of my commitment to open-source security,

 I’ve developed a continuous infrastructure and asset inventory tool that provides real-time alerts if any unintended ports are opened on an instance. This tool can help prevent similar incidents from occurring in the future. You can find a detailed blog post on how to deploy it on your instance here.

Conclusion: The Importance of Responsible Disclosure

This incident highlights the challenges faced by security researchers when companies lack a responsible disclosure program. Vulnerabilities like this one can have serious consequences, and it’s crucial for organizations to have a clear process in place for reporting and addressing security issues.

In the end, while I can’t disclose the company’s name, I hope this story serves as a cautionary tale for others. Security is everyone’s responsibility, and the stakes are too high to ignore potential vulnerabilities.

Stay tuned for more insights on securing your infrastructure, and remember—always be vigilant, because you never know what might be lurking just beneath the surface.