A yau za mu kalli shari'o'i biyu lokaci guda - bayanan abokan ciniki da abokan haɗin gwiwar kamfanoni daban-daban sun sami kyauta "godiya ga" buɗaɗɗen sabar Elasticsearch tare da bayanan tsarin bayanai (IS) na waɗannan kamfanoni.
A cikin shari'ar farko, waɗannan dubun dubbai ne (kuma watakila ɗaruruwan dubbai) na tikiti don al'amuran al'adu daban-daban ( gidajen wasan kwaikwayo, kulake, tafiye-tafiyen kogi, da sauransu) waɗanda aka sayar ta hanyar tsarin Radario (www.radario.ru).
A cikin akwati na biyu, wannan bayanai ne akan tafiye-tafiyen yawon shakatawa na dubban (wataƙila dubun dubatar) na matafiya waɗanda suka sayi yawon shakatawa ta hanyar hukumomin balaguro da ke da alaƙa da tsarin Sletat.ru (www.sletat.ru).
Ina so in lura nan da nan cewa ba sunayen kamfanonin da suka ba da damar bayanan su fito fili sun bambanta ba, har ma da tsarin da waɗannan kamfanoni suka bi don gane abin da ya faru da kuma abin da ya biyo baya. Amma abubuwa na farko…
Дисклеймер: вся информация ниже публикуется исключительно в образовательных целях. Автор не получал доступа к персональным данным третьих лиц и компаний. Информация взята либо из открытых источников, либо была предоставлена автору анонимными доброжелателями.
Harka ta daya. "Radario"
Da yammacin ranar 06.05.2019/XNUMX/XNUMX tsarin mu , mallakin sabis na siyar da tikitin lantarki Radario.
Bisa ga al'adar bakin ciki da aka riga aka kafa, uwar garken ya ƙunshi cikakkun bayanai game da tsarin bayanan sabis, daga inda za a iya samun bayanan sirri, masu amfani da kalmomin shiga, da kuma tikitin lantarki da kansu don abubuwan da suka faru a duk fadin kasar.
Jimlar adadin rajistan ayyukan ya wuce 1 TB.
Dangane da injin binciken Shodan, ana samun sabar a bainar jama'a tun ranar 11.03.2019 ga Maris, 06.05.2019. Na sanar da ma'aikatan Radario a ranar 22/50/07.05.2019 da karfe 09:30 (MSK) kuma a ranar XNUMX/XNUMX/XNUMX da misalin karfe XNUMX:XNUMX na sabar ya zama babu.
Gudun rajistan ayyukan sun ƙunshi alamar izini na duniya (daya), yana ba da dama ga duk tikitin da aka siya ta hanyoyin haɗin gwiwa na musamman, kamar:
http://radario.ru/internal/tickets/XXXXXXXX/print?access_token=******JuYWw6MDIzOWRjOTM1NzJiNDZjMTlhZGFjZmRhZTQ3ZDgyYTk
http://radario.ru/internal/orders/YYYYYYY/print?access_token=******JuYWw6MDIzOWRjOTM1NzJiNDZjMTlhZGFjZmRhZTQ3ZDgyYTkMatsalar kuma ita ce don lissafin tikiti, an yi amfani da ci gaba da ƙididdige adadin oda da ƙididdige lambar tikiti mai sauƙi (XXXXXX) ko oda (YAYAYAYA), yana yiwuwa a sami duk tikiti daga tsarin.
Don duba mahimmancin bayanan, har gaskiya na sayi tikiti mafi arha:
kuma daga baya ya same shi a kan uwar garken jama'a a cikin rajistan ayyukan IS:
http://radario.ru/internal/tickets/11819272/print?access_token==******JuYWw6MDIzOWRjOTM1NzJiNDZjMTlhZGFjZmRhZTQ3ZDgyYTkNa dabam, Ina so in jaddada cewa tikiti suna samuwa duka biyu don abubuwan da suka faru da kuma waɗanda har yanzu ake shirin. Wato, mai yuwuwar maharin zai iya amfani da tikitin wani don shiga taron da aka shirya.
A matsakaita, kowane fihirisar Elasticsearch mai ɗauke da rajistan ayyukan rana guda ɗaya (farawa daga 24.01.2019/07.05.2019/25 zuwa 35/XNUMX/XNUMX) ya ƙunshi tikiti XNUMX zuwa XNUMX dubu.
Baya ga tikitin da kansu, fihirisar ta ƙunshi shiga (adiresoshin imel) da kalmomin shiga rubutu don samun damar shiga asusun abokan hulɗa na Radario waɗanda ke siyar da tikitin abubuwan da suka faru ta wannan sabis ɗin:
Content: "ReturnUrl=&UserEmail=***@yandex.ru&UserPassword=***"Gabaɗaya, sama da nau'i-nau'i na shiga/kalmar shiga 500 an gano. Ana iya ganin kididdigar tallace-tallacen tikiti a cikin asusun abokan tarayya:
Hakanan akwai sunaye, lambobin waya da adiresoshin imel na masu siyan da suka yanke shawarar dawo da tikitin da aka saya a baya:
"Content": "{"name":"***","surname":"*** ","middleName":"Евгеньевна ","passportType":1,"passportNumber":"","passportIssueDate":"11-11-2011 11:11:11","passportIssuedBy":"","email":"***@mail.ru","phone":"+799*******","ticketNumbers":["****24848","****948732"],"refundReason":4,"comment":""}"A cikin rana ɗaya da aka zaɓa, an gano fiye da 500 irin waɗannan bayanan.
Na sami amsa ga faɗakarwa daga daraktan fasaha na Radario:
Ni ne darektan fasaha na Radario kuma ina so in gode muku don gano matsalar. Kamar yadda kuka sani, mun rufe damar yin amfani da roba kuma muna warware batun sake ba da tikiti ga abokan ciniki.
Daga baya kadan kamfanin ya yi sanarwa a hukumance:
An gano wani rauni a cikin tsarin siyar da tikitin lantarki na Radario kuma an gyara cikin sauri, wanda zai iya haifar da zubewar bayanai daga abokan cinikin sabis, in ji darektan tallace-tallace na kamfanin, Kirill Malyshev, ya shaida wa Kamfanin Dillancin Labarai na Moscow City.
“A zahiri mun gano rauni a cikin tsarin tsarin da ke da alaƙa da sabuntawa na yau da kullun, wanda aka gyara nan da nan bayan gano shi. Sakamakon rashin lahani, a ƙarƙashin wasu sharuɗɗa, ayyukan rashin abokantaka na ɓangare na uku na iya haifar da ɓarnar bayanai, amma ba a sami labarin aukuwar lamarin ba. A halin yanzu, an kawar da dukkan laifuffuka, "in ji K. Malyshev.
Wakilin kamfanin ya jaddada cewa an yanke shawarar sake fitar da duk tikitin da aka sayar a lokacin da ake magance matsalar domin kawar da yiwuwar zamba ga abokan cinikin sabis gaba daya.
Bayan ƴan kwanaki, na duba samuwar bayanai ta amfani da leaks links - samun dama ga tikitin "bayyanannu" da gaske an rufe. A ra'ayina, wannan ƙwararriyar hanya ce, ƙwararriyar hanya don magance matsalar zubewar bayanai.
Harka ta biyu. "Fly.ru"
Washe gari 15.05.2019/XNUMX/XNUMX Na'urarLock Data Leken asiri gano uwar garken Elasticsearch na jama'a tare da rajistan ayyukan wani IS.
Daga baya an kafa cewa uwar garken yana cikin sabis ɗin zaɓin yawon shakatawa "Sletat.ru".
Daga index cbto__0 yana yiwuwa a sami dubbai (dubu 11,7 gami da kwafi) na adiresoshin imel, da kuma wasu bayanan biyan kuɗi (kuɗin yawon buɗe ido) da bayanan balaguro (lokacin, inda, cikakkun bayanan tikitin jirgin sama). всех matafiya da aka haɗa a cikin yawon shakatawa, da dai sauransu) a cikin adadin kimanin 1,8 dubu records:
"full_message": "Получен запрос за создание платежного средства: {"SuccessReturnUrl":"https://sletat.ru/tour/7-1939548394-65996246/buy/?ClaimId=b5e3bf98-2855-400d-a93a-17c54a970155","ErrorReturnUrl":"https://sletat.ru/","PaymentAgentId":15,"DocumentNumber":96629429,"DocumentDisplayNumber":"4451-17993","Amount":36307.0,"PaymentToolType":3,"ExpiryDateUtc":"2020-04-03T00:33:55.217358+03:00","LifecycleType":2,"CustomerEmail":"[email protected]","Description":"","SettingsId":"8759d0dd-da54-45dd-9661-4e852b0a1d89","AdditionalInfo":"{"TourOfficeAdditionalInfo":{"IsAdditionalPayment":false},"BarrelAdditionalInfo":{"Tickets":[{"Passenger":{"FIO":"XXX VIKTORIIA"},"ReservationSystem":null,"TicketNumber":null,"IsRefundPossible":false},{"Passenger":{"FIO":"XXX ANDREI"},"ReservationSystem":null,"TicketNumber":null,"IsRefundPossible":false},{"Passenger":{"FIO":"XXX Andrei"},"ReservationSystem":null,"TicketNumber":null,"IsRefundPossible":false}],"Segments":[{"Flight":"5659","AviaCompany":null,"AviaCompanyIataCode":null,"DepartureCity":"LED","DepartureAirport":"LED","DepartureAirportIataCode":"LED","DepartureDate":"2019-04-11T02:45:00","DepartureTime":null,"ArrivalCity":"SHJ","ArrivalAirport":"SHJ","ArrivalAirportIataCode":"SHJ","ArrivalDate":"2019-04-11T09:40:00","ArrivalTime":null,"FareCode":null},{"Flight":"5660","AviaCompany":null,"AviaCompanyIataCode":null,"DepartureCity":"SHJ","DepartureAirport":"SHJ","DepartureAirportIataCode":"SHJ","DepartureDate":"2019-04-14T10:45:00","DepartureTime":null,"ArrivalCity":"LED","ArrivalAirport":"LED","ArrivalAirportIataCode":"LED","ArrivalDate":"2019-04-14T15:50:00","ArrivalTime":null,"FareCode":null}]},"Tickets":[{"Passenger":{"FIO":"XXX VIKTORIIA"},"ReservationSystem":null,"TicketNumber":null,"IsRefundPossible":false},{"Passenger":{"FIO":"XXX ANDREI"},"ReservationSystem":null,"TicketNumber":null,"IsRefundPossible":false},{"Passenger":{"FIO":"XXX Andrei"},"ReservationSystem":null,"TicketNumber":null,"IsRefundPossible":false}],"Segments":[{"Flight":"5659","AviaCompany":null,"AviaCompanyIataCode":null,"DepartureCity":"LED","DepartureAirport":"LED","DepartureAirportIataCode":"LED","DepartureDate":"2019-04-11T02:45:00","DepartureTime":null,"ArrivalCity":"SHJ","ArrivalAirport":"SHJ","ArrivalAirportIataCode":"SHJ","ArrivalDate":"2019-04-11T09:40:00","ArrivalTime":null,"FareCode":null},{"Flight":"5660","AviaCompany":null,"AviaCompanyIataCode":null,"DepartureCity":"SHJ","DepartureAirport":"SHJ","DepartureAirportIataCode":"SHJ","DepartureDate":"2019-04-14T10:45:00","DepartureTime":null,"ArrivalCity":"LED","ArrivalAirport":"LED","ArrivalAirportIataCode":"LED","ArrivalDate":"2019-04-14T15:50:00","ArrivalTime":null,"FareCode":null}]}","FinancialSystemId":9,"Key":"18fe21d1-8c9c-43f3-b11d-6bf884ba6ee0"}"Af, hanyoyin haɗin kai zuwa balaguron biya suna aiki sosai:
A cikin fihirisa tare da suna graylog_ a cikin bayyanannen rubutu akwai shiga da kalmomin shiga na hukumomin balaguro da ke da alaƙa da tsarin Sletat.ru da siyar da rangadin ga abokan cinikinsu:
"full_message": "Tours by request 155213901 added to local cache with key 'user_cache_155213901' at 5/6/2019 4:49:07 PM, rows found 0, sortedPriceLength 215. QueryString: countryId=90&cityFromId=1265&s_nightsMin=6&s_nightsMax=14&stars=403%2c404&minHotelRating=1¤cyAlias=RUB&pageSize=300&pageNumber=1&s_showcase=true&includeOilTaxesAndVisa=0&login=zakaz%40XXX.ru&password=XXX, Referer: , UserAgent: , IP: 94.154.XX.XX."Dangane da kiyasi na, an nuna nau'in shiga/kalmar shiga ɗari da yawa.
Daga asusun sirri na hukumar balaguro akan tashar wakili.sletat.ru ya yiwu a sami bayanan abokin ciniki, ciki har da lambobin fasfo, fasfo na duniya, kwanakin haihuwa, cikakkun sunaye, lambobin tarho da adiresoshin imel.
Na sanar da sabis na Sletat.ru a ranar 15.05.2019/10/46 a 16:00 (MSK) kuma bayan 'yan sa'o'i (har zuwa XNUMX:XNUMX) ya ɓace daga damarsu ta kyauta. Daga baya, a mayar da martani ga littafin a Kommersant, gudanarwar sabis ɗin ya yi wata sanarwa mai ban mamaki ta kafofin watsa labarai:
Shugaban kamfanin, Andrei Vershinin, ya bayyana cewa Sletat.ru yana ba da dama ga manyan ma'aikatan yawon shakatawa na abokan tarayya tare da samun damar yin amfani da tarihin tambayoyin a cikin injin bincike. Kuma ya ɗauka cewa DeviceLock ya karɓa: "Duk da haka, ƙayyadaddun bayanan ba ya ƙunshi bayanan fasfo na yawon bude ido, shiga hukumar balagu da kalmomin shiga, bayanan biyan kuɗi, da sauransu." Andrei Vershinin ya lura cewa Sletat.ru bai riga ya sami wata shaida na irin wannan zargi mai tsanani ba. "Yanzu muna ƙoƙarin tuntuɓar DeviceLock. Mun yi imani cewa wannan umarni ne. Wasu mutane ba sa son ci gaban mu cikin sauri, ”in ji shi. "
Kamar yadda aka nuna a sama, bayanan shiga, kalmomin shiga, da bayanan fasfo na masu yawon bude ido sun kasance a cikin jama'a na dogon lokaci (aƙalla tun daga Maris 29.03.2019, XNUMX, lokacin da injin binciken Shodan ya fara yin rikodin sabar kamfanin a cikin jama'a). Tabbas, babu wanda ya tuntube mu. Ina fatan cewa aƙalla sun sanar da hukumomin balaguro game da yaɗuwar kuma sun tilasta musu canza kalmomin shiga.
Ana iya samun labarai game da leken asirin bayanai da masu ciki koyaushe a tashar Telegram ta "".
source: www.habr.com