Today we will consider two cases at once - the data of clients and partners of two completely different companies turned out to be freely available “thanks to” open Elasticsearch servers with logs of information systems (IS) of these companies.
In the first case, these are tens of thousands (or maybe hundreds of thousands) of tickets for various cultural events (theaters, clubs, river walks, etc.) sold through the Radario system (www.radario.ru).
In the second case, this is data on tourist trips of thousands (perhaps several tens of thousands) of travelers who bought tours through travel agencies connected to the Sletat.ru system (www.sletat.ru).
I note right away that not only the names of the companies that allowed the data to get into the public domain differ, but also the approach of these companies to the recognition of the incident and the subsequent reaction to it. But first things first…
Дисклеймер: вся информация ниже публикуется исключительно в образовательных целях. Автор не получал доступа к персональным данным третьих лиц и компаний. Информация взята либо из открытых источников, либо была предоставлена автору анонимными доброжелателями.
Case one. "Radario"
On the evening of 06.05.2019/XNUMX/XNUMX our system , owned by the service for the sale of electronic tickets "Radario".
According to the already established sad tradition, the server contained detailed logs of the information system of the service, from which it was possible to obtain personal data, logins and passwords of users, as well as electronic tickets themselves for various events throughout the country.
The total volume of logs exceeded 1 TB.
According to the Shodan search engine, the server has been in the public domain since 11.03.2019/06.05.2019/22. I notified Radario employees on 50/07.05.2019/09 at 30:XNUMX (Moscow time) and on XNUMX/XNUMX/XNUMX at about XNUMX:XNUMX the server became unavailable.
The logs contained a universal (single) authorization token that provides access to all purchased tickets using special links, like:
http://radario.ru/internal/tickets/XXXXXXXX/print?access_token=******JuYWw6MDIzOWRjOTM1NzJiNDZjMTlhZGFjZmRhZTQ3ZDgyYTk
http://radario.ru/internal/orders/YYYYYYY/print?access_token=******JuYWw6MDIzOWRjOTM1NzJiNDZjMTlhZGFjZmRhZTQ3ZDgyYTkThe problem also consisted in the fact that continuous numbering of orders was used to account for tickets and a simple enumeration of the ticket number (XXXXXXXX) or order (YYYYYYY), it was possible to get all the tickets from the system.
To check the relevance of the database, I even honestly bought myself the cheapest ticket:
and later found it on a public server in the IP logs:
http://radario.ru/internal/tickets/11819272/print?access_token==******JuYWw6MDIzOWRjOTM1NzJiNDZjMTlhZGFjZmRhZTQ3ZDgyYTkSeparately, I would like to emphasize that tickets were available for both past events and those that are still being planned. That is, a potential attacker could use someone else's ticket to enter the planned event.
On average, in each Elasticsearch index containing logs for one specific day (from 24.01.2019/07.05.2019/25 to 35/XNUMX/XNUMX), there were from XNUMX to XNUMX thousand tickets.
In addition to the tickets themselves, the index contained logins (e-mail addresses) and text passwords for accessing the personal accounts of Radario partners who sell tickets to their events through this service:
Content: "ReturnUrl=&UserEmail=***@yandex.ru&UserPassword=***"In total, more than 500 login/password pairs were discovered. In the personal accounts of partners, you can see the statistics of ticket sales:
Also in the public domain were the full name, phone numbers and e-mail addresses of buyers who decided to return previously purchased tickets:
"Content": "{"name":"***","surname":"*** ","middleName":"Евгеньевна ","passportType":1,"passportNumber":"","passportIssueDate":"11-11-2011 11:11:11","passportIssuedBy":"","email":"***@mail.ru","phone":"+799*******","ticketNumbers":["****24848","****948732"],"refundReason":4,"comment":""}"In one randomly selected day, more than 500 such records were discovered.
I received a response to the notification from the technical director of Radario:
I'm the CTO of Radario and would like to thank you for finding the issue. Access to elastic, as you know, we have closed and we are solving the issue of reissuing tickets for customers.
A little later, the company made an official statement:
In Radario's electronic ticketing system, a vulnerability was discovered and timely fixed that could lead to data leakage of service customers, the company's marketing director Kirill Malyshev told the Moscow City News Agency.
“We did indeed discover a vulnerability in the system due to regular updates, which was fixed immediately after the discovery. As a result of the vulnerability, under certain conditions, hostile actions of third parties could lead to data leakage, but no incidents were recorded. At the moment, all malfunctions have been eliminated,” said K. Malyshev.
The representative of the company emphasized that it was decided to reissue all tickets sold during the solution of the problem in order to completely eliminate the possibility of any fraud in relation to the service's customers.
A few days later, I checked the availability of data using the leaked links - access to the "highlighted" tickets was indeed covered. In my opinion, this is a competent, professional approach to solving the problem of data leakage.
Second case. "Fly.ru"
Early morning 15.05.2019/XNUMX/XNUMX DeviceLock Data Breach Intelligence revealed a public Elasticsearch server with logs of some IS.
Later it was found that the server belongs to the Sletat.ru tour selection service.
From index cbto__0 it was possible to get thousands (11,7 thousand including duplicates) of e-mail addresses, as well as some payment information (price of tours) and tour data (when, where, air ticket data all travelers included in the tour, etc.) in the amount of about 1,8 thousand entries:
"full_message": "Получен запрос за создание платежного средства: {"SuccessReturnUrl":"https://sletat.ru/tour/7-1939548394-65996246/buy/?ClaimId=b5e3bf98-2855-400d-a93a-17c54a970155","ErrorReturnUrl":"https://sletat.ru/","PaymentAgentId":15,"DocumentNumber":96629429,"DocumentDisplayNumber":"4451-17993","Amount":36307.0,"PaymentToolType":3,"ExpiryDateUtc":"2020-04-03T00:33:55.217358+03:00","LifecycleType":2,"CustomerEmail":"[email protected]","Description":"","SettingsId":"8759d0dd-da54-45dd-9661-4e852b0a1d89","AdditionalInfo":"{"TourOfficeAdditionalInfo":{"IsAdditionalPayment":false},"BarrelAdditionalInfo":{"Tickets":[{"Passenger":{"FIO":"XXX VIKTORIIA"},"ReservationSystem":null,"TicketNumber":null,"IsRefundPossible":false},{"Passenger":{"FIO":"XXX ANDREI"},"ReservationSystem":null,"TicketNumber":null,"IsRefundPossible":false},{"Passenger":{"FIO":"XXX Andrei"},"ReservationSystem":null,"TicketNumber":null,"IsRefundPossible":false}],"Segments":[{"Flight":"5659","AviaCompany":null,"AviaCompanyIataCode":null,"DepartureCity":"LED","DepartureAirport":"LED","DepartureAirportIataCode":"LED","DepartureDate":"2019-04-11T02:45:00","DepartureTime":null,"ArrivalCity":"SHJ","ArrivalAirport":"SHJ","ArrivalAirportIataCode":"SHJ","ArrivalDate":"2019-04-11T09:40:00","ArrivalTime":null,"FareCode":null},{"Flight":"5660","AviaCompany":null,"AviaCompanyIataCode":null,"DepartureCity":"SHJ","DepartureAirport":"SHJ","DepartureAirportIataCode":"SHJ","DepartureDate":"2019-04-14T10:45:00","DepartureTime":null,"ArrivalCity":"LED","ArrivalAirport":"LED","ArrivalAirportIataCode":"LED","ArrivalDate":"2019-04-14T15:50:00","ArrivalTime":null,"FareCode":null}]},"Tickets":[{"Passenger":{"FIO":"XXX VIKTORIIA"},"ReservationSystem":null,"TicketNumber":null,"IsRefundPossible":false},{"Passenger":{"FIO":"XXX ANDREI"},"ReservationSystem":null,"TicketNumber":null,"IsRefundPossible":false},{"Passenger":{"FIO":"XXX Andrei"},"ReservationSystem":null,"TicketNumber":null,"IsRefundPossible":false}],"Segments":[{"Flight":"5659","AviaCompany":null,"AviaCompanyIataCode":null,"DepartureCity":"LED","DepartureAirport":"LED","DepartureAirportIataCode":"LED","DepartureDate":"2019-04-11T02:45:00","DepartureTime":null,"ArrivalCity":"SHJ","ArrivalAirport":"SHJ","ArrivalAirportIataCode":"SHJ","ArrivalDate":"2019-04-11T09:40:00","ArrivalTime":null,"FareCode":null},{"Flight":"5660","AviaCompany":null,"AviaCompanyIataCode":null,"DepartureCity":"SHJ","DepartureAirport":"SHJ","DepartureAirportIataCode":"SHJ","DepartureDate":"2019-04-14T10:45:00","DepartureTime":null,"ArrivalCity":"LED","ArrivalAirport":"LED","ArrivalAirportIataCode":"LED","ArrivalDate":"2019-04-14T15:50:00","ArrivalTime":null,"FareCode":null}]}","FinancialSystemId":9,"Key":"18fe21d1-8c9c-43f3-b11d-6bf884ba6ee0"}"By the way, links to paid tours are quite working:
In indexes named graylog_ in open form were the logins and passwords of travel agencies connected to the Sletat.ru system and selling tours to their customers:
"full_message": "Tours by request 155213901 added to local cache with key 'user_cache_155213901' at 5/6/2019 4:49:07 PM, rows found 0, sortedPriceLength 215. QueryString: countryId=90&cityFromId=1265&s_nightsMin=6&s_nightsMax=14&stars=403%2c404&minHotelRating=1¤cyAlias=RUB&pageSize=300&pageNumber=1&s_showcase=true&includeOilTaxesAndVisa=0&login=zakaz%40XXX.ru&password=XXX, Referer: , UserAgent: , IP: 94.154.XX.XX."According to my estimates, several hundred login / password pairs were lit up.
From the personal account of the travel agency on the portal agent.sletat.ru it was possible to obtain customer data, including passport numbers, international passports, dates of birth, full names, phone numbers and email addresses.
I notified the Sletat.ru service on 15.05.2019/10/46 at 16:00 (Moscow time) and after a few hours (until XNUMX:XNUMX) it disappeared from their free access. Later, in response to a publication in Kommersant, the management of the service made a very strange statement through the media:
Andrey Vershinin, the head of the company, explained that Sletat.ru provides a number of major partner tour operators with access to the history of queries in the search engine. And he assumed that DeviceLock had received it: “However, in the specified database there are no passport data of tourists, logins and passwords of travel agencies, payment data, etc.” Andrei Vershinin noted that Sletat.ru has not yet received any evidence of such serious accusations. “Now we are trying to contact DeviceLock. We believe that this is an order. Some people don't like our rapid growth,” he added. "
As shown above, both logins, passwords, and passport data of tourists have been freely available for quite a long time (at least since March 29.03.2019, XNUMX, when the company's server was first recorded in the public domain by the Shodan search engine). Of course, no one contacted us. I hope that at least they notified the travel agencies about the leak and forced them to change their passwords.
News about information leaks and insiders can always be found on my Telegram channel "».
Source: habr.com