September 25, 2020

Thai operators leaked 8.3 billion user internet records

2 min read

Currently, public DNS server providers are promoting encryption services, that is, encrypting DNS queries so that operators cannot snoop users based on records.

All records of the general query service we currently use will pass through the network operator, who knows which websites and specific addresses we have visited daily.

Based on these access records, it can be used to make a portrait of the user and guess the user’s points of interest, and then the data resale advertising network can be used to push personalized ads.

The data recently leaked by Thai operator AIS shows that it is very important to enable DoH or DoT, otherwise, it is not only the operator who knows which websites you visit.

According to security researchers, the ES database controlled by the Thai network operator AIS’s company is publicly accessible, and the database mainly records network access.

This database contains up to 8.3 billion network access data and network flow records, with a capacity of 4.7 TB and an average increase of 200 million records in about 24 hours.

Due to improper configuration, the operator exposes the database to the public network and can access it without verification, which means that anyone can download and export the data.

What is more embarrassing is that the researchers contacted the operator immediately after discovering the security incident, but this operator’s security awareness seems to be relatively weak and no one has to fix it.

In the end, the researchers directly contacted the National Computer Emergency Response Center of Thailand to report the problem, and then the response center contacted AIS to strengthen the database.

From the information released by security researchers, this database server is mainly used to record more than 40 million Thai users using AIS to provide network services.

The data mainly includes DNS request logs and the number and information of IP packets, that is, various data generated when users access various websites and network services on a daily basis.

These data are recorded according to the user’s network activity, so they can be attributed to a specific user, and according to the data, a rough portrait of the user can be pieced together.

For example, which websites and specific pages users mainly visit every day, operators can use these visit records to speculate about the content that users are generally interested in.

Of course, even if a user visits an ad*lt website in the incognito mode of the browser, it will be recorded by the operator, and it may be leaked or resold by the operator.

Encrypted DNS services based on HTTPS or TLS can avoid this situation. After encryption, operators cannot see the details of websites and URLs that users specifically visit.

Via: TechCrunch