September 26, 2020

ElasticSearch Servers Permanently Leak Millions of Records

3 min read

ElasticSearch Servers Permanently Leak Millions of Records.

A large number of elasticsearch servers have no basic security, which means that they are open for anyone.

Elasticsearch search issues are the age-old story, but it still affects the top “game players” of the market: Google, Amazon, Alibaba, and Microsoft. Time goes on but it seems like it doesn’t even bother anyone. Because still, nothing changes.

The main problem of such data leakage is that Elasticsearch doesn’t have any security system by default, and a large part of developers neglect a chance to protect their data.

The Spyse team utilized their search engine and got 436 terabytes of available data in return to a few simple searches. These data belong to enterprises like Amazon, Digital Ocean, Google, Microsoft, ESPN, and lots of Chinese corporations.

Data analysis shows that leaked data contains lots of users’ sensitive data (passwords, names, emails, addresses, etc…), business information (revenue, products, employees, etc…), and every single thing that could be stored in Elasticsearch.

Here are the data fields that were received from one of Amazon’s servers:

*Note: this is just a sample and this server could belong to someone who uses Amazon as a hosting.

"fields_list": [
        "auth_user",
        "auth_user.company_id",
        "auth_user.country",
        "auth_user.country.address_format_id",
        "auth_user.country.country_name",
        "auth_user.country.ebay_countrycode",
        "auth_user.email",
        "auth_user.first_name",
        "auth_user.is_active",
        "auth_user.is_staff",
        "auth_user.is_superuser",
        "auth_user.issuperadmin",
        "auth_user.last_name",
        "auth_user.password",
        "auth_user.reset_password",
        "email",
        "first_name",
        "gender",
        "last_name",
        "orders",
        "phone",
        "tab_id",
        "tab_name",
        "tab_parent_id",
        "tin",
        "totalorder"
]

Leaked Data

 

Top 3 most vulnerable countries

Country Number of servers
China 5468
United States 4256
Germany 1070

 

Vulnerable domains by Alexa Rank 

Alexa Rank Domain
16451 espn.com.mx
18568 htmlbook.ru
21661 qyresearch.com
25914 econet.ru
28058 baiduyunpan.com
30961 btba.cc
31947 btba.com.cn
32804 espn.com.au

 

Top 10 most vulnerable organizations

Organization Number of Servers
Hangzhou Alibaba Advertising Co., Ltd. 2478
Amazon.com, Inc. 1933
DigitalOcean, LLC 1332
Google LLC 1203
Shenzhen Tencent Computer Systems Company Limited 910
OVH SAS 825
Microsoft Corporation 745
Hetzner Online GmbH 336
Linode, LLC 321
China Unicom Beijing Province Network 236

 

Instead of the leaked data itself, the danger is on the way hackers may use it. There are lots of opportunities from the tiniest to the largest, that can damage the reputation, disrupt the company processes, and cause financial damage. For example, attackers can change the orders’ status to “paid” and deliver products for free, or intercept the container full of goods, or quietly connect and sell insider information to competitors.

It’s just a few simple examples, real hackers could be very creative when it comes to over 6 zeros numbers.

How Spyse found this data.

Step 1. Search for all elasticsearch databases that usually are at the port 9200.

Request’s sample:

Step 2. It’s important to make sure that found IP addresses have Elasticsearch databases. Simple Get request will help to find out.

And that’s all. With the help of the data connection techniques, users now have IPs in relation to the organization, ISP, domains & subdomains, related vulnerabilities. No one knows who and how will use this information…

It’s important to realize that it’s not the first time of server breach, these databases are commonly opened and ready to be exploited. It is hoped that after this article, developers will finally begin thinking about their security needs and follow the basic ElasticSearch recommendations.

Detailed explanation on https://spyse.com/blog/cybersecurity-research/breached-elasticsearch-servers-leaks-millions-of-records