Dina iki kita bakal ndeleng rong kasus sekaligus - data klien lan mitra saka rong perusahaan sing beda-beda kasedhiya kanthi gratis "matur nuwun" mbukak server Elasticsearch kanthi log sistem informasi (IS) perusahaan kasebut.
Ing kasus sing sepisanan, iki puluhan ewu (lan bisa uga atusan ewu) tiket kanggo macem-macem acara budaya (teater, klub, lelungan kali, lan sapiturute) sing didol liwat sistem Radario (www.radario.ru).
Ing kasus kapindho, iki minangka data babagan lelungan wisata ewonan (bisa uga sawetara puluhan ewu) lelungan sing tuku tur liwat agensi perjalanan sing disambungake menyang sistem Sletat.ru (www.sletat.ru).
Aku langsung nyathet yen ora mung jeneng perusahaan sing ngidini data kasedhiya kanggo umum beda-beda, nanging uga pendekatan perusahaan kasebut kanggo ngenali kedadeyan kasebut lan reaksi sabanjure. Nanging dhisik dhisikβ¦
ΠΠΈΡΠΊΠ»Π΅ΠΉΠΌΠ΅Ρ: Π²ΡΡ ΠΈΠ½ΡΠΎΡΠΌΠ°ΡΠΈΡ Π½ΠΈΠΆΠ΅ ΠΏΡΠ±Π»ΠΈΠΊΡΠ΅ΡΡΡ ΠΈΡΠΊΠ»ΡΡΠΈΡΠ΅Π»ΡΠ½ΠΎ Π² ΠΎΠ±ΡΠ°Π·ΠΎΠ²Π°ΡΠ΅Π»ΡΠ½ΡΡ
ΡΠ΅Π»ΡΡ
. ΠΠ²ΡΠΎΡ Π½Π΅ ΠΏΠΎΠ»ΡΡΠ°Π» Π΄ΠΎΡΡΡΠΏΠ° ΠΊ ΠΏΠ΅ΡΡΠΎΠ½Π°Π»ΡΠ½ΡΠΌ Π΄Π°Π½Π½ΡΠΌ ΡΡΠ΅ΡΡΠΈΡ
Π»ΠΈΡ ΠΈ ΠΊΠΎΠΌΠΏΠ°Π½ΠΈΠΉ. ΠΠ½ΡΠΎΡΠΌΠ°ΡΠΈΡ Π²Π·ΡΡΠ° Π»ΠΈΠ±ΠΎ ΠΈΠ· ΠΎΡΠΊΡΡΡΡΡ
ΠΈΡΡΠΎΡΠ½ΠΈΠΊΠΎΠ², Π»ΠΈΠ±ΠΎ Π±ΡΠ»Π° ΠΏΡΠ΅Π΄ΠΎΡΡΠ°Π²Π»Π΅Π½Π° Π°Π²ΡΠΎΡΡ Π°Π½ΠΎΠ½ΠΈΠΌΠ½ΡΠΌΠΈ Π΄ΠΎΠ±ΡΠΎΠΆΠ΅Π»Π°ΡΠ΅Π»ΡΠΌΠΈ.
Kasus siji. "Radario"
Ing wayah sore 06.05.2019/XNUMX/XNUMX sistem kita , diduweni dening layanan dodolan tiket elektronik Radario.
Miturut tradhisi sedhih sing wis ana, server kasebut ngemot log rinci babagan sistem informasi layanan, saka ngendi sampeyan bisa entuk data pribadhi, login pangguna lan sandhi, uga tiket elektronik kanggo macem-macem acara ing saindenging negara.
Volume total log ngluwihi 1 TB.
Miturut mesin telusur Shodan, server kasebut wis bisa diakses umum wiwit 11.03.2019 Maret 06.05.2019. Aku ngandhani karyawan Radario ing 22/50/07.05.2019 ing 09:30 (MSK) lan ing XNUMX/XNUMX/XNUMX udakara XNUMX:XNUMX server dadi ora kasedhiya.
Log kasebut ngemot token wewenang universal (tunggal), nyedhiyakake akses menyang kabeh tiket sing dituku liwat tautan khusus, kayata:
http://radario.ru/internal/tickets/XXXXXXXX/print?access_token=******JuYWw6MDIzOWRjOTM1NzJiNDZjMTlhZGFjZmRhZTQ3ZDgyYTk
http://radario.ru/internal/orders/YYYYYYY/print?access_token=******JuYWw6MDIzOWRjOTM1NzJiNDZjMTlhZGFjZmRhZTQ3ZDgyYTkMasalahe uga kanggo akun tiket, terus-terusan nomer pesenan digunakake lan enumerasi prasaja saka nomer tiket (XXXXXXXXX) utawa pesenan (YYYYYYY), iku bisa kanggo njaluk kabeh karcis saka sistem.
Kanggo mriksa relevansi database, aku malah tuku tiket sing paling murah:
lan mengko ditemokake ing server umum ing log IS:
http://radario.ru/internal/tickets/11819272/print?access_token==******JuYWw6MDIzOWRjOTM1NzJiNDZjMTlhZGFjZmRhZTQ3ZDgyYTkKanthi kapisah, aku pengin negesake manawa tiket kasedhiya kanggo acara sing wis ditindakake lan kanggo sing isih direncanakake. Yaiku, penyerang potensial bisa nggunakake tiket wong liya kanggo mlebu acara sing direncanakake.
Rata-rata, saben indeks Elasticsearch ngemot log kanggo sedina tartamtu (wiwit 24.01.2019/07.05.2019/25 nganti 35/XNUMX/XNUMX) ngemot XNUMX nganti XNUMX ewu tiket.
Saliyane tiket dhewe, indeks kasebut ngemot login (alamat email) lan sandhi teks kanggo ngakses akun pribadi mitra Radario sing adol tiket menyang acara kasebut liwat layanan iki:
Content: "ReturnUrl=&UserEmail=***@yandex.ru&UserPassword=***"Secara total, luwih saka 500 pasangan login/sandi dideteksi. Statistik penjualan tiket katon ing akun pribadi mitra:
Uga kasedhiya kanggo umum yaiku jeneng, nomer telpon lan alamat email para panuku sing mutusake bali tiket sing wis dituku sadurunge:
"Content": "{"name":"***","surname":"*** ","middleName":"ΠΠ²Π³Π΅Π½ΡΠ΅Π²Π½Π° ","passportType":1,"passportNumber":"","passportIssueDate":"11-11-2011 11:11:11","passportIssuedBy":"","email":"***@mail.ru","phone":"+799*******","ticketNumbers":["****24848","****948732"],"refundReason":4,"comment":""}"Ing sawijining dina sing dipilih kanthi acak, luwih saka 500 cathetan kasebut ditemokake.
Aku nampa respon kanggo tandha saka direktur teknis Radario:
Aku direktur teknis Radario lan matur nuwun kanggo ngenali masalah. Kaya sing sampeyan ngerteni, kita wis nutup akses menyang elastis lan ngrampungake masalah nerbitake maneh tiket kanggo klien.
Ora suwe, perusahaan kasebut nggawe pernyataan resmi:
Kerentanan ditemokake ing sistem penjualan tiket elektronik Radario lan didandani kanthi cepet, sing bisa nyebabake bocor data saka klien layanan kasebut, direktur pemasaran perusahaan, Kirill Malyshev, marang Kantor Berita Kota Moskow.
"Kita bener-bener nemokake kerentanan ing operasi sistem sing ana gandhengane karo nganyari biasa, sing didandani sanalika sawise ditemokake. Minangka akibat saka kerentanan, ing kahanan tartamtu, tumindak sing ora ramah saka pihak katelu bisa nyebabake kebocoran data, nanging ora ana kedadeyan sing kacathet. Ing wayahe, kabeh kesalahane wis diilangi, "ujare K. Malyshev.
A wakil perusahaan nandheske sing iki mutusakΓ© kanggo reissue kabeh karcis didol sak solusi kanggo masalah supaya rampung ngilangke kamungkinan saka sembarang penipuan marang klien layanan.
Sawetara dina sabanjure, aku mriksa kasedhiyan data nggunakake tautan sing bocor - akses menyang tiket "kasedhiya" pancen dijamin. Miturut pendapatku, iki minangka pendekatan profesional sing kompeten kanggo ngrampungake masalah kebocoran data.
Kasus loro. "Fly.ru"
Esuk 15.05.2019/XNUMX/XNUMX Intelligence Pelanggaran Data DeviceLock ngenali server Elasticsearch umum kanthi log IS tartamtu.
Mengko ditetepake manawa server kasebut kalebu layanan pilihan tur "Sletat.ru".
Saka indeks cbto__0 Sampeyan bisa entuk ewonan (11,7 ewu kalebu duplikat) alamat email, uga sawetara informasi pembayaran (biaya tur) lan data tur (nalika, ing ngendi, rincian tiket pesawat. Π²ΡΠ΅Ρ lelungan sing kalebu ing tur, lsp) kanthi jumlah udakara 1,8 ewu cathetan:
"full_message": "ΠΠΎΠ»ΡΡΠ΅Π½ Π·Π°ΠΏΡΠΎΡ Π·Π° ΡΠΎΠ·Π΄Π°Π½ΠΈΠ΅ ΠΏΠ»Π°ΡΠ΅ΠΆΠ½ΠΎΠ³ΠΎ ΡΡΠ΅Π΄ΡΡΠ²Π°: {"SuccessReturnUrl":"https://sletat.ru/tour/7-1939548394-65996246/buy/?ClaimId=b5e3bf98-2855-400d-a93a-17c54a970155","ErrorReturnUrl":"https://sletat.ru/","PaymentAgentId":15,"DocumentNumber":96629429,"DocumentDisplayNumber":"4451-17993","Amount":36307.0,"PaymentToolType":3,"ExpiryDateUtc":"2020-04-03T00:33:55.217358+03:00","LifecycleType":2,"CustomerEmail":"[email protected]","Description":"","SettingsId":"8759d0dd-da54-45dd-9661-4e852b0a1d89","AdditionalInfo":"{"TourOfficeAdditionalInfo":{"IsAdditionalPayment":false},"BarrelAdditionalInfo":{"Tickets":[{"Passenger":{"FIO":"XXX VIKTORIIA"},"ReservationSystem":null,"TicketNumber":null,"IsRefundPossible":false},{"Passenger":{"FIO":"XXX ANDREI"},"ReservationSystem":null,"TicketNumber":null,"IsRefundPossible":false},{"Passenger":{"FIO":"XXX Andrei"},"ReservationSystem":null,"TicketNumber":null,"IsRefundPossible":false}],"Segments":[{"Flight":"5659","AviaCompany":null,"AviaCompanyIataCode":null,"DepartureCity":"LED","DepartureAirport":"LED","DepartureAirportIataCode":"LED","DepartureDate":"2019-04-11T02:45:00","DepartureTime":null,"ArrivalCity":"SHJ","ArrivalAirport":"SHJ","ArrivalAirportIataCode":"SHJ","ArrivalDate":"2019-04-11T09:40:00","ArrivalTime":null,"FareCode":null},{"Flight":"5660","AviaCompany":null,"AviaCompanyIataCode":null,"DepartureCity":"SHJ","DepartureAirport":"SHJ","DepartureAirportIataCode":"SHJ","DepartureDate":"2019-04-14T10:45:00","DepartureTime":null,"ArrivalCity":"LED","ArrivalAirport":"LED","ArrivalAirportIataCode":"LED","ArrivalDate":"2019-04-14T15:50:00","ArrivalTime":null,"FareCode":null}]},"Tickets":[{"Passenger":{"FIO":"XXX VIKTORIIA"},"ReservationSystem":null,"TicketNumber":null,"IsRefundPossible":false},{"Passenger":{"FIO":"XXX ANDREI"},"ReservationSystem":null,"TicketNumber":null,"IsRefundPossible":false},{"Passenger":{"FIO":"XXX Andrei"},"ReservationSystem":null,"TicketNumber":null,"IsRefundPossible":false}],"Segments":[{"Flight":"5659","AviaCompany":null,"AviaCompanyIataCode":null,"DepartureCity":"LED","DepartureAirport":"LED","DepartureAirportIataCode":"LED","DepartureDate":"2019-04-11T02:45:00","DepartureTime":null,"ArrivalCity":"SHJ","ArrivalAirport":"SHJ","ArrivalAirportIataCode":"SHJ","ArrivalDate":"2019-04-11T09:40:00","ArrivalTime":null,"FareCode":null},{"Flight":"5660","AviaCompany":null,"AviaCompanyIataCode":null,"DepartureCity":"SHJ","DepartureAirport":"SHJ","DepartureAirportIataCode":"SHJ","DepartureDate":"2019-04-14T10:45:00","DepartureTime":null,"ArrivalCity":"LED","ArrivalAirport":"LED","ArrivalAirportIataCode":"LED","ArrivalDate":"2019-04-14T15:50:00","ArrivalTime":null,"FareCode":null}]}","FinancialSystemId":9,"Key":"18fe21d1-8c9c-43f3-b11d-6bf884ba6ee0"}"Ngomong-ngomong, tautan menyang tur berbayar cukup efektif:
Ing indeks kanthi jeneng graylog_ ing teks sing cetha yaiku login lan sandhi agensi perjalanan sing disambungake menyang sistem Sletat.ru lan adol tur menyang klien:
"full_message": "Tours by request 155213901 added to local cache with key 'user_cache_155213901' at 5/6/2019 4:49:07 PM, rows found 0, sortedPriceLength 215. QueryString: countryId=90&cityFromId=1265&s_nightsMin=6&s_nightsMax=14&stars=403%2c404&minHotelRating=1¤cyAlias=RUB&pageSize=300&pageNumber=1&s_showcase=true&includeOilTaxesAndVisa=0&login=zakaz%40XXX.ru&password=XXX, Referer: , UserAgent: , IP: 94.154.XX.XX."Miturut perkiraanku, sawetara atus pasangan login/sandi ditampilake.
Saka akun pribadi agensi travel ing portal agent.sletat.ru iku bisa diwenehi data customer, kalebu nomer passport, passports internasional, tanggal lair, jeneng lengkap, nomer telpon lan alamat email.
Aku ngabari layanan Sletat.ru ing 15.05.2019/10/46 ing 16:00 (MSK) lan sawetara jam mengko (nganti XNUMX:XNUMX) ilang saka akses gratis. Mengko, kanggo nanggepi publikasi ing Kommersant, manajemen layanan nggawe statement sing aneh banget liwat media:
Kepala perusahaan, Andrei Vershinin, nerangake manawa Sletat.ru nyedhiyakake sawetara operator tur mitra utama kanthi akses menyang riwayat pitakon ing mesin telusuran. Lan dheweke nganggep yen DeviceLock nampa: "Nanging, database sing ditemtokake ora ngemot data paspor turis, login lan sandhi agensi travel, informasi pembayaran, lsp." Andrei Vershinin nyathet yen Sletat.ru durung nampa bukti tuduhan serius kasebut. "Saiki kita nyoba ngubungi DeviceLock. Kita pitados bilih iki pesenan. Sawetara wong ora seneng tuwuh kanthi cepet, "ujare. "
Kaya sing dituduhake ing ndhuwur, login, sandhi, lan data paspor turis wis cukup suwe ing domain umum (paling ora wiwit tanggal 29.03.2019 Maret XNUMX, nalika server perusahaan pisanan dicathet ing domain umum dening mesin telusur Shodan) . Mesthi, ora ana sing ngubungi kita. Muga-muga paling ora dheweke ngandhani agensi lelungan babagan bocor kasebut lan meksa ngganti tembung sandhi.
Warta babagan bocor informasi lan wong njero mesthi bisa ditemokake ing saluran Telegramku "".
Source: www.habr.com