ElasticSearch Servers Permanently Leak Millions of Records

ElasticSearch Servers Permanently Leak Millions of Records.

A large number of elasticsearch servers have no basic security, which means that they are open for anyone.

Elasticsearch search issues are the age-old story, but it still affects the top “game players” of the market: Google, Amazon, Alibaba, and Microsoft. Time goes on but it seems like it doesn’t even bother anyone. Because still, nothing changes.

The main problem of such data leakage is that Elasticsearch doesn’t have any security system by default, and a large part of developers neglect a chance to protect their data.

The Spyse team utilized their search engine and got 436 terabytes of available data in return to a few simple searches. These data belong to enterprises like Amazon, Digital Ocean, Google, Microsoft, ESPN, and lots of Chinese corporations.

Data analysis shows that leaked data contains lots of users’ sensitive data (passwords, names, emails, addresses, etc…), business information (revenue, products, employees, etc…), and every single thing that could be stored in Elasticsearch.

Here are the data fields that were received from one of Amazon’s servers:

*Note: this is just a sample and this server could belong to someone who uses Amazon as a hosting.

"fields_list": [

        "auth_user",

        "auth_user.company_id",

        "auth_user.country",

        "auth_user.country.address_format_id",

        "auth_user.country.country_name",

        "auth_user.country.ebay_countrycode",

        "auth_user.email",

        "auth_user.first_name",

        "auth_user.is_active",

        "auth_user.is_staff",

        "auth_user.is_superuser",

        "auth_user.issuperadmin",

        "auth_user.last_name",

        "auth_user.password",

        "auth_user.reset_password",

        "email",

        "first_name",

        "gender",

        "last_name",

        "orders",

        "phone",

        "tab_id",

        "tab_name",

        "tab_parent_id",

        "tin",

        "totalorder"

]

Leaked Data

Top 3 most vulnerable countries

Vulnerable domains by Alexa Rank 

Top 10 most vulnerable organizations

Instead of the leaked data itself, the danger is on the way hackers may use it. There are lots of opportunities from the tiniest to the largest, that can damage the reputation, disrupt the company processes, and cause financial damage. For example, attackers can change the orders’ status to “paid” and deliver products for free, or intercept the container full of goods, or quietly connect and sell insider information to competitors.

It’s just a few simple examples, real hackers could be very creative when it comes to over 6 zeros numbers.

How Spyse found this data.

Step 1. Search for all elasticsearch databases that usually are at the port 9200.

Request’s sample:

Step 2. It’s important to make sure that found IP addresses have Elasticsearch databases. Simple Get request will help to find out.

And that’s all. With the help of the data connection techniques, users now have IPs in relation to the organization, ISP, domains & subdomains, related vulnerabilities. No one knows who and how will use this information…

It’s important to realize that it’s not the first time of server breach, these databases are commonly opened and ready to be exploited. It is hoped that after this article, developers will finally begin thinking about their security needs and follow the basic ElasticSearch recommendations.

Detailed explanation on https://spyse.com/blog/cybersecurity-research/breached-elasticsearch-servers-leaks-millions-of-records