I write a lot about the discovery of freely available databases in almost all countries of the world, but there is almost no news about Russian databases left in the public domain. Although recently and about the βKremlin's handβ, which a Dutch researcher discovered with fright in more than 2000 open databases.
There may be a misconception that everything is great in Russia and the owners of large Russian online projects are responsible for storing user data. I hasten to debunk this myth with this example.
The Russian online medical service DOC+ apparently managed to leave the ClickHouse database with access logs in the public domain. Unfortunately, the logs look so detailed that the personal data of employees, partners and customers of the service could have been likely leaked.
Everything in order ...
ΠΠΈΡΠΊΠ»Π΅ΠΉΠΌΠ΅Ρ: Π²ΡΡ ΠΈΠ½ΡΠΎΡΠΌΠ°ΡΠΈΡ Π½ΠΈΠΆΠ΅ ΠΏΡΠ±Π»ΠΈΠΊΡΠ΅ΡΡΡ ΠΈΡΠΊΠ»ΡΡΠΈΡΠ΅Π»ΡΠ½ΠΎ Π² ΠΎΠ±ΡΠ°Π·ΠΎΠ²Π°ΡΠ΅Π»ΡΠ½ΡΡ
ΡΠ΅Π»ΡΡ
. ΠΠ²ΡΠΎΡ Π½Π΅ ΠΏΠΎΠ»ΡΡΠ°Π» Π΄ΠΎΡΡΡΠΏΠ° ΠΊ ΠΏΠ΅ΡΡΠΎΠ½Π°Π»ΡΠ½ΡΠΌ Π΄Π°Π½Π½ΡΠΌ ΡΡΠ΅ΡΡΠΈΡ
Π»ΠΈΡ ΠΈ ΠΊΠΎΠΌΠΏΠ°Π½ΠΈΠΉ. Π‘ΠΊΡΠΈΠ½ΡΠΎΡΡ Π²Π·ΡΡΡ Π»ΠΈΠ±ΠΎ ΠΈΠ· ΠΎΡΠΊΡΡΡΡΡ
ΠΈΡΡΠΎΡΠ½ΠΈΠΊΠΎΠ², Π»ΠΈΠ±ΠΎ Π±ΡΠ»ΠΈ ΠΏΡΠ΅Π΄ΠΎΡΡΠ°Π²Π»Π΅Π½Ρ Π°Π²ΡΠΎΡΡ Π°Π½ΠΎΠ½ΠΈΠΌΠ½ΡΠΌΠΈ Π΄ΠΎΠ±ΡΠΎΠΆΠ΅Π»Π°ΡΠ΅Π»ΡΠΌΠΈ.
With me, as with the owner of the Telegram channel "β, A channel reader who wished to remain anonymous got in touch and said literally the following:
An open ClickHouse server owned by doc+ was discovered on the Internet. The server's IP address matches the IP address to which the docplus.ru domain is configured.
From Wikipedia: DOC+ (LLC "New Medicine") is a Russian medical company providing services in the field of telemedicine, doctor's house call, storage and processing personal medical data. The company received investments from Yandex.
Judging by the collected information, the ClickHouse database was indeed freely available, and anyone, knowing the IP address, could get data from it. This data presumably turned out to be access logs to the service.
As you can see from the picture above, in addition to the www.docplus.ru web server and the ClickHouse server (port 9000), a wide open MongoDB database βhangsβ on the same IP address (in which, apparently, there is nothing interesting).
As far as I know, the Shodan.io search engine was used to discover the ClickHouse server (about I wrote separately) in conjunction with a special script , which checked the found database for lack of authentication and listed all its tables. At that time, there seemed to be 474 of them.
It is known from the documentation that by default, the ClickHouse server listens to HTTP on port 8123. Therefore, to see what is contained in the tables, it is enough to execute something like this SQL query:
http://[IP-Π°Π΄ΡΠ΅Ρ]:8123?query=SELECT * FROM [Π½Π°Π·Π²Π°Π½ΠΈΠ΅ ΡΠ°Π±Π»ΠΈΡΡ]As a result of the request, what is probably returned is what is shown in the screenshot below:
From the screenshot it is clear that the information in the field HEADERS contains data about the location (latitude and longitude) of the user, his IP address, information about the device from which he connected to the service, OS version, etc.
If it occurred to someone to slightly modify the SQL query, for example, like this:
http://[IP-Π°Π΄ΡΠ΅Ρ]:8123?query=SELECT * FROM [Π½Π°Π·Π²Π°Π½ΠΈΠ΅ ΡΠ°Π±Π»ΠΈΡΡ] WHERE REQUEST LIKE β%25Profiles%25β
then something similar to the personal data of employees could be returned, namely: full name, dates of birth, gender, TIN, addresses of registration and actual place of residence, phone numbers, positions, email addresses, and much more:
All this information from the screenshot above is very similar to the personnel department data from 1C: Enterprise 8.3.
Looking at the parameter API_USER_TOKEN you might think that this is a βworkingβ token with which you can perform various actions on behalf of the user, including obtaining his personal data. But of course I can't confirm this.
At the moment, there is no information that the ClickHouse server is still freely available at the same IP address.
Source: habr.com