eCommerce security company Sansec has conducted a study of 2,037 online stores, which revealed that 12.3 percent of them are inadvertently exposing compressed files that contain highly sensitive data.
These files often contain private backups, including master database passwords, confidential admin URLs of stores, customer data, and internal API keys, that are available on public-facing web folders without requiring any authentication.
Threat Actors Exploit Accidental Data Leaks
Sansec Threat Research group found multiple attack patterns coming from various IPs that suggested a number of threat actors are aware of this online store flaw and are working to exploit it. Automated attacks against online stores are using thousands of possible backup names and continuing for weeks until a backup is found.
Sansec Urges Online Store Owners to Take Action
Sansec has urged online store owners to take immediate action to prevent the accidental exposure of sensitive data. Website owners should check for unauthorized admin accounts, change all passwords, and implement two-factor authentication (2FA).
In addition, online store owners should ensure that backup files are not open to the public internet and, if they are, close them immediately, and investigate the store for any signs of compromise.
Site owners should also run an eCommerce malware scanner and ensure the remote database admin panel is not available on the public internet.
Preventing Accidental Data Leaks
To avoid creating accidental data leaks on online shops, Sansec advises owners to:
- deploy store code on a read-only file system,
- schedule frequent backing up of files,
- restrict access to backup files, and
- start monitoring for online data exposure.
Dimitris is an Information Technology and Cybersecurity professional with more than 20 years of experience in designing, building and maintaining efficient and secure IT infrastructures.
Among others, he is a certified: CISSP, CISA, CISM, ITIL, COBIT and PRINCE2, but his wide set of knowledge and technical management capabilities go beyond these certifications. He likes acquiring new skills on penetration testing, cloud technologies, virtualization, network security, IoT and many more.