Data Breach

Sky.com servers exposed via misconfiguration

CyberNews researchers found an exposed configuration file hosted on a Sky.com subdomain containing production data.

Original post @ https://cybernews.com/news/sky-com-servers-exposed-via-misconfiguration/

CyberNews researchers found an exposed configuration file hosted on a Sky.com subdomain, containing what appear to be production-level database access credentials, as well as addresses to development endpoints.

Sky, a subsidiary of Comcast, is Europe’s largest media company, boasting a 12% market share and a revenue of approximately £13.4 billion in 2020, as well as more than 31,000 employees and 24 million customers. UpLift Media, launched by Sky and Molson Coors in 2015, is an in-venue digital screen advertising network that operates digital screens in bars and other leisure venues across the UK.

During a threat intelligence gathering operation, our Investigations team came across an exposed configuration file that included plain text access credentials to multiple databases on a domain hosted by the Sky media conglomerate.

The configuration file, first indexed on an IoT search engine on September 7, appears to be the main configuration file of the application hosted on the ‘upliftmedia’ subdomain of Sky.com, and includes plain text access credentials to databases hosted on the Sky.com domain.

The IoT search engine that indexed the file enforces a ‘grace period’ of 30 days, during which the indexed leaks are only visible to ‘trusted users and researchers.’ This is presumably intended to help security researchers vetted by the search engine’s staff to secure the exposed devices and files indexed on the service.

Now, however, the URL to the exposed configuration file became publicly visible to anyone with a free search engine account, which might include malicious actors.

After we reported the issue to Sky on October 8, a company representative informed CyberNews that Sky has “taken action to address the issue.” Access to the configuration file has now been disabled.

To see if any of your online accounts were exposed in previous security breaches, use our personal data leak checker with a library of 15+ billion breached records.

What’s in the configuration file?

The unsecured configuration file appeared to contain, among other things:

  • Production-level access credentials (including passwords in plain text) to databases hosted on the Sky.com subdomain, from localhost (development branch) to Windows Server (production branch).
  • IP addresses and domain names that lead to development endpoints – specialized environments used by developers for testing and iteration.

Example of exposed database access credentials:

Note: Our researchers did not access any unsecured databases due to the potential ethical implications of accessing private databases without authorization.

Who had access?

While it’s unclear if any malicious actors or security researchers have accessed the configuration file before it was secured by Sky, the file itself was presumably indexed by the IoT search engine for at least 30 days prior to its publication.

Anyone who knew where to look could have accessed the data during that period and abused the authentication credentials found in the configuration file.

What’s the impact?

Without having accessed the databases themselves, it would be difficult to calculate the impact of this leak on Sky, UpLift Media, or their customers.

There’s no way to tell what data is being stored on the production server. With that said, exposed configuration files can serve as quick infiltration shortcuts for ransomware groups that could take a company’s servers and data hostage.

If the databases held personal user information, the impact of phishers getting their hands on that data could be massive: Sky.com email credentials could let malicious actors send phishing emails directly from the Sky.com domain, bypassing spam filters and gaining their victims’ trust in the process.

In addition, abusing database access credentials could help threat actors plant a shell interface on the Sky.com web server, potentially resulting in full website takeover, as well as expansion to Sky’s other corporate networks.

Losing plain text credentials for internal servers and databases can spell disaster for any company. Considering the massive scope of disruption a complete network takeover would cause to both Sky and its clients, ransomware operators or affiliates would pay extremely handsomely for a leak of this type on the black market. Such misconfigurations are prime targets for ransomware cartels and bad actors looking to profit from mistakes made by companies of Sky’s size and importance.

The importance of educating support staff on responsible disclosure

In 2021, organizations that wish to avoid security breaches must react faster than ever, which is why technical support staff needs to be acquainted with responsible disclosure procedures. While we commend Sky for fixing the misconfiguration issue quickly and efficiently, getting to the right person has proven to be somewhat difficult.

Unfortunately, it took multiple phone calls with Sky support staff from several unrelated departments before we could reach someone capable of understanding the problem.

Moreover, Sky’s responsible disclosure help page includes an ‘Ask Sky Community’ button, which presumably allows security researchers (or anyone else, for that matter) to report vulnerabilities and security breaches directly to Sky’s public message boards. It goes without saying that the inclusion of the button left us speechless.

When it comes to reporting security breaches, every minute counts, and with the number of cyberattacks growing at unprecedented rates, organizations must focus on educating staff about security policies and disclosure procedures before it’s too late.

Disclosure

On October 8, we reached out to Sky to inform them of the leak and help secure the exposed configuration file. We also asked the company for a comment and posed further questions regarding the incident.

On the same day, a Sky representative informed CyberNews that following an internal investigation, access to the file has been disabled and the servers are no longer accessible.

We will update the article as soon as we receive further comments from Sky.

About the author: CyberNews Team

Follow me on Twitter: @securityaffairs and Facebook

[adrotate banner=”9″][adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – hacking, sky.com)

[adrotate banner=”5″]

[adrotate banner=”13″]

Pierluigi Paganini

Pierluigi Paganini is member of the ENISA (European Union Agency for Network and Information Security) Threat Landscape Stakeholder Group and Cyber G7 Group, he is also a Security Evangelist, Security Analyst and Freelance Writer. Editor-in-Chief at "Cyber Defense Magazine", Pierluigi is a cyber security expert with over 20 years experience in the field, he is Certified Ethical Hacker at EC Council in London. The passion for writing and a strong belief that security is founded on sharing and awareness led Pierluigi to find the security blog "Security Affairs" recently named a Top National Security Resource for US. Pierluigi is a member of the "The Hacker News" team and he is a writer for some major publications in the field such as Cyber War Zone, ICTTF, Infosec Island, Infosec Institute, The Hacker News Magazine and for many other Security magazines. Author of the Books "The Deep Dark Web" and “Digital Virtual Currency and Bitcoin”.

Recent Posts

Cisco warns of password-spraying attacks targeting Secure Firewall devices

Cisco warns customers of password-spraying attacks that have been targeting Remote Access VPN (RAVPN) services…

1 hour ago

American fast-fashion firm Hot Topic hit by credential stuffing attacks

Hot Topic suffered credential stuffing attacks that exposed customers' personal information and partial payment data.…

5 hours ago

Cisco addressed high-severity flaws in IOS and IOS XE software

Cisco addressed multiple vulnerabilities in IOS and IOS XE software that can be exploited to…

19 hours ago

Google: China dominates government exploitation of zero-day vulnerabilities in 2023

Google's Threat Analysis Group (TAG) and Mandiant reported a surge in the number of actively…

1 day ago

Google addressed 2 Chrome zero-days demonstrated at Pwn2Own 2024

Google addressed two zero-day vulnerabilities in the Chrome web browser that have been demonstrated during…

2 days ago

INC Ransom stole 3TB of data from the National Health Service (NHS) of Scotland

The INC Ransom extortion group hacked the National Health Service (NHS) of Scotland and is threatening…

2 days ago

This website uses cookies.