Google Search Finds Exposed Customer Data
 

 
Patient: A well-known hosting service provider in Taiwan
Symptoms: Disclosure of customer data on internet search
Descriptions: In January 2009, some few thousands customer order sheet detail were revealed on internet from a well-known hosting service provider in Taiwan. The information contained company and customer names, telephones, transaction detail and amounts, account names and passwords, were available up for search and display for nearly a month in late 2008 by a few local and international search engines.
It is believed that lack of access control on IP sessions run by the administrators resulted in full exposure of the company data to the wild. “It is totally impossible for Google Spiders to access company internal order information if authentications were implemented,” Another hosting service provider claimed, “What could have happened was that changes were made but not adding further authentication at the end of procedure, somehow the administrator has Google toolbar on his web browser, which sniffed out the internal links and logged the records.
The victims were not informed to take necessary remediation at first instance. What the hosting service provider announced to public seemed passive and conservative, which did not meet good risk management standard.

 



1. Lack of network access control(password setting) by webmaster on website maintenance platform.
2. Easy naming of root directories made easy intrusion for outsiders.
3. No implementation of “robot.txt” to regulate Google Spider access.
 


DragonSoft Vulnerability Management ® supports web site directory exploration scan, the Dictionary Search technology defines CVSS(Common Vulnerability Score System) rating of any weakened password vulnerability in user accounts.
 
* Tick on Account password from passwords file and Account with no password option in customized policy.
 
Run audit scan to find any weakened password vulnerability in user accounts.
 
* A high risk password vulnerability is detected under Account category by CVE(Common Vulnerability and Exposure) identifier. Specific solution is stated directly below the description.
 
* A high risk password vulnerability is detected under Account category by CVE(Common Vulnerability and Exposure) identifier. Specific solution is stated directly below the description.
 
..........................................................................................................................................................................................................................
 
Risk :
High: Allow immediate remote, or local access or immediate execution of code or commands, with unauthorized privileges, and
bypassing security on firewalls.
Medium: Potential of granting access or allowing code execution by means of complex or lengthy exploit procedures. Examples are
cross-site scripting, man-in-the-middle attacks, SQL injection, denial of service, information disclosure.
Low: deny service or provide non-system information that could be used to formulate structured attacks on a target, but not directly gain unauthorized access.

..........................................................................................................................................................................................................................
 
 

About DragonSoft
DragonSoft is a leading developer of network security in Asia Pacific. The contribution of vulnerability management research and design has achieved CVE certification. Our solution is widely used by government bodies, banking, financial services and insurance to mitigate risks against exploits, prioritize threat management through professional assessment. Founded in 2002 and headquartered in Taipei, Taiwan, DragonSoft delivers products and services to corporate clients worldwide. For more information, please visit www.dragonsoft.com

2009 Copyright ©, DragonSoft Security Associates, Inc. All rights reserved