Fieldwork Software Database Exposed Customer Data: ReportResearchers Say Company Promptly Fixed Leak
Sensitive information, including credit card and phone numbers, was left exposed to the internet on an unsecured database belonging to Fieldwork Software, which provides cloud-based services to small businesses, researchers note in a new report.
The unsecured database, which contained about 26GB of data, was discovered by Noam Rotem and Ran Locar, self-described security researchers and hacktivists. The two researchers don't say in their Monday blog how long the leaky data remained exposed, but they note that when the problem was brought to Fieldwork Software’s attention, the company's security team fixed the leak within 20 minutes.
Fieldwork Software, which is based in Niles, Illinois, did not immediately reply to a request for comment.
It's not known if any data was compromised as a result of the unsecured database, but it was hosted on Amazon Web Services without authentication security, Rotem tells Information Security Media Group.
Rotem and Locar have a track record of finding these types of unsecured databases. For example, in an April report, they described an exposed database that contained information on nearly 80 million U.S. households (see: Mystery Database Exposed Info on 80 Million US Households).
Fieldwork’s cloud-based services help small businesses track customer calls and manage their operations. As a result, its database has access to clients’ information, such as invoice templates, scheduling interfaces and product tracking, which could have been potentially exploited for fraud or identity theft, the researchers say.
The auto log-in credentials that were accessible in the exposed database could have led to a wider breach, because they gave direct access to the company's backend, according to the two researchers. This would have enabled attackers to access sensitive client information and administrative infrastructure, according to the researchers' report. This includes customer credit card numbers, CVV numbers and their IP addresses, according to the report.
In addition, the availability of location data could have led to severe consequences, resulting in such crimes as in-person theft or attacks, the researchers say.
Although the exposed logs dated back only 30 days, the researchers say they contained vital information about clients, including building access information, alarm codes, lockbox codes and passwords, which could have been used to lock the company's clients out of the account by making changes to the backend.
"In my opinion, the most dangerous information left on the system was home alarm codes, door key locations - complete with home addresses - plus geo-location; this is the burglars dream," Rotem tells ISMG.
Even though Fieldwork secured passwords in some cases, the researchers found that a malicious actor could locate customer account credentials through certain templates. Based on what they call the weak points in Fieldwork's system, the researchers claim that a hacker could have weakened the system and severely affected Fieldwork’s business.
"If any of these attacks had occurred based on the data breach, it would profoundly impact the companies who relied on Fieldwork for building their businesses,” the researchers say. "A breach could undermine their clients’ trust. This could lead to clients employing a competing company that didn’t use leaky software to protect themselves better," they added.
This is not the first time that Rotem and Locar have identified poorly secured databases and companies not following good security practices.
The two researchers are working on a large-scale web mapping project, using port scanning techniques to look at various known IP blocks and addresses. During this project, they have found weaknesses and data leaks in numerous files and systems that are stored in the cloud and exposed to the internet.
In addition to this week's disclosure and the mysterious, unnamed database that held data on 80 million U.S. households that was discovered in April, Rotem published other research with VPNMentor concerning a Chinese e-commerce site called Gearbest that had an unsecured database that exposed 1.5 million customer records, including payment information, email addresses and other personal data (see: Gearbest Database Leaks 1.5 Million Customer Records).