FreshBooks, a Canadian unicorn startup constructing cloud accounting software program, saved an Amazon Internet Providers (AWS) Storage bucket holding delicate worker data unprotected on the web, out there to anybody who knew the place to look, specialists have claimed.
Consequently, greater than 30 million of its customers, in additional than 160 international locations around the globe had been put prone to id theft and different cybercrime.
The alert was issued by the Cybernews (opens in new tab) analysis crew, which first found the database in late January 2023.
Simply cracked passwords
On first look, it held storage pictures and metadata of its weblog, however deeper evaluation found backups of the web site’s supply code, in addition to web site data, configurations, and login knowledge for 121 WordPress (opens in new tab) customers. The login knowledge – usernames, electronic mail addresses, and hash passwords – belonged to the positioning’s directors. They had been hashed utilizing “simply crackable” MD5/phpass hashing framework, the researchers stated, suggesting that getting the knowledge in plaintext was comparatively straightforward.
With this data, the Cybernews’ crew says, risk actors may have accessed the web site’s backend and made unauthorized modifications to its content material. They might have analyzed the supply code, understood how the web site operated, and located different vulnerabilities to promote or exploit. In actual fact, a 2019 server backup held “not less than 5”weak plugins that had been put in on the web site on the time, the researchers discovered.
In an much more harmful situation, they might have put in malicious software program, moved laterally all through the community, and stolen delicate knowledge.
There’s a caveat to exploiting the vulnerability, although: “The web site’s login web page to the admin panel was secured and never publicly accessible,” the researchers clarify. “Nevertheless, attackers may nonetheless bypass this safety measure by connecting to the identical community as the web site or discovering and exploiting a weak WordPress plugin.”
Through: Cybernews (opens in new tab)