Database Security Digest – December 2018
Quora
Quora has become the latest big-name tech firm to suffer a major data breach. It has become known this month that information on about 100 million users may have been compromised.
The Quora website is an extremely popular place to get answers to your questions. But, unfortunately, a malicious third party has found its unauthorized way into this website. Quora is currently carrying out a forensic investigation about the exact сause of this accident.
The potentially leaked information may include such account information as names, emails, and encrypted passwords, as well as data from social networks like Facebook and Twitter. In addition, the hackers have also gained access to users’ activity – questions asked, answers given, comments, direct messages, upvotes, and downvotes.
The affected users have been notified and logged out. The company believes it has identified the root cause of this accident and taken steps to address the issue, although the investigation is still going on and Quora is planning to make IT security improvements.
120 Million Brazilians Exposed
120 million Brazilians have had their personal identifiable information leaked on the internet. This happened due to yet another IT miscofiguration.
This accident relates to Cadastro de Pessoas Físicas (CPFs). This is the agency that issues special IDs to all citizens and tax-paying residents. Over a half the population of South America’s biggest country is affected by this accident.
IT security researches found the database with this information exposed on an Apache web server in March, after a simple internet search.
After some investigation it was found out that someone had renamed the ‘index.html’ to ‘index.html_bkp,’ revealing the directory’s contents. Anyone knowing the filename and navigating to it would have unlimited access to all the folders and files within.
The agency has broken the basic IT security rules: it shouldn’t have renamed the main index.html file or should have prohibited access through .htaccess configuration.
The researchers are expecting this database to be soon on sale on the Dark Web. It’s strongly recommended that the Brazilian government conduct a thorough investigation into this accident.
Boomoji
A popular Chinese application, Boomoji that has about 5.3 million users across the worlds allows iOS and Android users to create 3D avatars.
However, the personal data of its entire database was leaked after Boomoji had left 2 ElasticSearch databases unprotected without a password.
The company distributed its servers, the one serving international users was set up in the USA, and the other, serving Chinese users, was based in Hong Kong due to China’s data security laws requiring that. These 2 databases contained the usernames, gender, country, phone type, unique Boomoji ID, users’ schools. In addition to that databases had the geolocation of about 400 thousand users and the phone book entries of every user that allowed the app access their contacts.
As some users allowed access to their phone book the total number of those potentially affected can go up to 125 million people. These people may not even know that this app exists and still had their personal information exposed. And all that is because of vulnerable databases.
Hackers are developing their tools for hacking and finding vulnerabilities every day. That is why it’s so important to keep all the information you’re responsible for under you total control. And, of course, just leaving your databases you’re in charge of somewhere unattended is just totally inappropriate.
Security updates for databases
Oracle
https://nvd.nist.gov/vuln/detail/CVE-2018-16868https://nvd.nist.gov/vuln/detail/CVE-2018-16869
https://nvd.nist.gov/vuln/detail/CVE-2018-19439
MySQL
https://nvd.nist.gov/vuln/detail/CVE-2018-17957https://nvd.nist.gov/vuln/detail/CVE-2018-19439
https://nvd.nist.gov/vuln/detail/CVE-2018-15719
https://nvd.nist.gov/vuln/detail/CVE-2018-14704
https://nvd.nist.gov/vuln/detail/CVE-2018-14703
https://nvd.nist.gov/vuln/detail/CVE-2018-14700
https://nvd.nist.gov/vuln/detail/CVE-2018-14696
https://nvd.nist.gov/vuln/detail/CVE-2018-14695
MySQL
https://nvd.nist.gov/vuln/detail/CVE-2018-2497https://nvd.nist.gov/vuln/detail/CVE-2018-2502
MS SQL Azure
https://nvd.nist.gov/vuln/detail/CVE-2018-8652IBM DB2
https://nvd.nist.gov/vuln/detail/CVE-2018-1977MongoDB
https://nvd.nist.gov/vuln/detail/CVE-2018-1784Elasticsearch
https://nvd.nist.gov/vuln/detail/CVE-2018-17247https://nvd.nist.gov/vuln/detail/CVE-2018-17244