Cloud Security , Network Firewalls, Network Access Control , Security Operations

E-Commerce Shops: 12% Are Publicly Exposing Private Backups

Hackers Actively Scanning for Backups to Steal Access Credentials, Researchers Warn
E-Commerce Shops: 12% Are Publicly Exposing Private Backups
Image: Shutterstock

Attention online shoppers: Your favorite digital boutique may be exposing customer data through badly configured backups.

See Also: Live Webinar | Securing the Cloud: Mitigating Vulnerabilities for Government

A study of 2,037 e-commerce shops found that 250 of them had backups that contained private information and that were stored in publicly accessible folders with no access restrictions.

The report from Sansec, an Amsterdam firm that helps merchants secure their online stores, says such backups can be easy to find. They're often stored as ZIP, SQL, TAR, GZ or TGZ files, and sport names such as backup.tgz, database.sql and myfiles.zip.

Many contain everything an attacker needs to gain administrator-level access to a site, such as "the secret administrator URL of a store, the password for the master database, plus hashed passwords for staff accounts," as well as "secret API keys and full customer data," meaning personally identifiable information - aka PII, according to Sansec's report.

The impetus for the research was Sansec repeatedly seeing publicly exposed backups when conducting digital forensic investigations and researchers hypothesizing that the problem might be widespread, says Willem de Groot, the company's director of threat research. "To quantify our suspicion, we worked with our hosting partners to run a broad analysis," and given the sample size, he thinks the results are "representative of the self-hosted e-commerce platform market."

The problem of publicly exposing private backups doesn't appear to be academic, since multiple attack groups have been seen using automated tools to pummel e-commerce shops for such files. "We have observed automated attacks against online stores, where thousands of possible backup names are tried over the course of multiple weeks," Sansec reports.

These attacks can attempt to find directories and files with well-known names, or which employ words based on the site name or pulled from DNS information. "Because these probes are very cheap to run and do not affect the target store performance, they can essentially go on forever until a backup has been found," Sansec says.

Once attackers gain remote access to a site, they may be able to introduce malicious code, such as digital skimmers or sniffers designed to grab card payment data as it is input by customers, via what's known as Magecart-style attacks. Stolen customer data can be used for social engineering attacks, including phishing campaigns.

Both small and large e-commerce operations have been leaking private backups, Sansec's researchers found. "The only organizations that don't suffer from this are those with strict deployment procedures - meaning that manual intervention on production systems is forbidden," de Groot says.

As part of the research, none of the exposed backups got downloaded. Instead, he says, affected merchants as well as the hosting providers with which Sansec works got a heads-up, and the latter "implemented platform-wide mitigations" to fix this problem.


About the Author

Mathew J. Schwartz

Mathew J. Schwartz

Executive Editor, DataBreachToday & Europe, ISMG

Schwartz is an award-winning journalist with two decades of experience in magazines, newspapers and electronic media. He has covered the information security and privacy sector throughout his career. Before joining Information Security Media Group in 2014, where he now serves as the executive editor, DataBreachToday and for European news coverage, Schwartz was the information security beat reporter for InformationWeek and a frequent contributor to DarkReading, among other publications. He lives in Scotland.




Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing databreachtoday.com, you agree to our use of cookies.