E-Commerce Shops: 12% Are Publicly Exposing Private BackupsHackers Actively Scanning for Backups to Steal Access Credentials, Researchers Warn
Attention online shoppers: Your favorite digital boutique may be exposing customer data through badly configured backups.
A study of 2,037 e-commerce shops found that 250 of them had backups that contained private information and that were stored in publicly accessible folders with no access restrictions.
The report from Sansec, an Amsterdam firm that helps merchants secure their online stores, says such backups can be easy to find. They're often stored as ZIP, SQL, TAR, GZ or TGZ files, and sport names such as
Many contain everything an attacker needs to gain administrator-level access to a site, such as "the secret administrator URL of a store, the password for the master database, plus hashed passwords for staff accounts," as well as "secret API keys and full customer data," meaning personally identifiable information - aka PII, according to Sansec's report.
The impetus for the research was Sansec repeatedly seeing publicly exposed backups when conducting digital forensic investigations and researchers hypothesizing that the problem might be widespread, says Willem de Groot, the company's director of threat research. "To quantify our suspicion, we worked with our hosting partners to run a broad analysis," and given the sample size, he thinks the results are "representative of the self-hosted e-commerce platform market."
The problem of publicly exposing private backups doesn't appear to be academic, since multiple attack groups have been seen using automated tools to pummel e-commerce shops for such files. "We have observed automated attacks against online stores, where thousands of possible backup names are tried over the course of multiple weeks," Sansec reports.
These attacks can attempt to find directories and files with well-known names, or which employ words based on the site name or pulled from DNS information. "Because these probes are very cheap to run and do not affect the target store performance, they can essentially go on forever until a backup has been found," Sansec says.
Once attackers gain remote access to a site, they may be able to introduce malicious code, such as digital skimmers or sniffers designed to grab card payment data as it is input by customers, via what's known as Magecart-style attacks. Stolen customer data can be used for social engineering attacks, including phishing campaigns.
Both small and large e-commerce operations have been leaking private backups, Sansec's researchers found. "The only organizations that don't suffer from this are those with strict deployment procedures - meaning that manual intervention on production systems is forbidden," de Groot says.
As part of the research, none of the exposed backups got downloaded. Instead, he says, affected merchants as well as the hosting providers with which Sansec works got a heads-up, and the latter "implemented platform-wide mitigations" to fix this problem.