Backend Servers for 1,000 Apps Expose Terabytes of User Data

[CrAKeN]

 

There are 1,000 apps available for download today that despite not containing any malware or featuring glaring vulnerabilities, they communicate and store data on improperly secured backend servers, exposing user data along the way.

 

This is the conclusion of an investigation conducted by mobile security experts from Appthority for their 2017 Q2 Enterprise Mobile Threat Report.

 

The company's experts say they've analyzed the backend connections of 1,000 mobile apps to see if they connect to publicly-accessible servers.

 

Over 43 TB of data found on 21K+ unsecured Elasticsearch servers

Researchers initially planned to scan apps that connect to MongoDB, Redis, CouchDB, Couchbase, Elasticsearch, and MySQL servers, but they scrapped their initial idea after realizing the enormous amount of unsecured data there was available online.

 

Instead, they looked only for apps that connected to Elasticsearch servers, a popular technology among app developers.

 

"To enable rich functionality, developers often use backend servers to store persistent user data and programs like Elasticsearch to mine and analyze the data," Appthority experts explain. "Elasticsearch does not have built in security and access control and relies on external implementation of these security features with an authentication plugin or API for access."

 

Researchers say they've found apps connecting to over 21,000 Elasticsearch servers, left exposed online without proper authentication.

 

These unsecured ElasticSearch servers exposed over 43 TB of data, including user personally identifiable information (PII), unencrypted credentials, geo-location data, medical data, and more.

 

Billions of user records exposed online

Furthermore, when Appthority experts narrowed down their analysis to only 39 apps, they found these apps exposed 163.53 GB of data when talking to their backend servers, regardless of server technology.

 

Just from these 39 apps researchers said they could have collected over 280 million user records.

 

Data like this, and in the quantity Appthority experts say they found, is incredibly valuable for hackers and data hoarders on the Dark Web.

 

Most user data is most likely stolen by now

Developers that have left app backend servers exposed online can be very certain that someone has stolen that data and is already peddling it online.

 

There are waves upon waves of scans for Internet-available data storage servers. These scans were frequent last year, and became more intense over the winter, especially after a rash of database ransom incidents that targeted MongoDB, Elasticsearch, CouchDB, Hadoop, and MySQL servers.

 

Those attacks — which involved hackers taking over an unsecured database server, stealing or wiping its data, and demanding a ransom — have died down in the meantime, but the number of easily accessible servers has remained at pretty high values,

Besides a summary of the findings, the Appthority report also includes analysis of two apps that sent data to unsecured backends. The 17-page report is available for download from here.

 

Source