Cricketsocial.com, is a social platform developed for the cricket community online. CyberNews discovered that a database used by the platform was left open online, it contains a huge trove of data.
The Social platform for the cricket community exposed over 100k entries of private customer data and credentials.
The database, hosted by Amazon Web Services (AWS) in the US, contained admin credentials and private customer data, including email, phone numbers, names, hashed user passwords, dates of birth, and addresses. The experts noticed that most of the records in the database seem to be test data, however, the experts discovered it also includes personally identifiable information (PII) of legitimate site users. The data stored in the database includes posts, comments, number of likes, and links to images kept on the AWS storage bucket.
“Even if all the information stored was test data, leaving data in plaintext is a poignant indication of bad security practices being employed. That creates unnecessary risks for unsound practices creeping into the production environment if left unchecked.” Cybernews researchers said.
The experts discovered the database also exposed plaintext credentials for a website administrator account, a piece of information that could allow an attacker to take over the platform.
The storage of passwords in plaintext is a bad practice that could advantage threat actors while targeting an infrastructure
Experts also found a second open instance of the database owned by cricketsocial.com that contains all the same types of information found in the first one. However, the second database was much smaller, likely because it was part of a development and quality assurance environment.
Experts warn that threat actors can use multiple tools to distinguish test data from real ones.
“Even if all the information stored was test data, leaving data in plaintext is a poignant indication of bad security practices being employed. That creates unnecessary risks for unsound practices creeping into the production environment if left unchecked,” researchers conclude. “information can be sold for substantial amounts of money. Threat actors could later use this information for identity theft or spam.”
Follow me on Twitter: @securityaffairs and Facebook and Mastodon
|[adrotate banner=”9″]||[adrotate banner=”12″]|
(SecurityAffairs – hacking, Cricketsocial.com)