BazarChic, a member of the Galeries Lafayette Group, specializes in clearance sales of high hand brands.

What’s Going On?

Our team of white hat hacktivists at WizCase was able to access what seemed to be private customer data through an unsecured database. The breach, which was discovered through an insecure configuration in the Kibana interface for the Elasticsearch engine, exposed potentially sensitive customer data. The data that was found on the server includes:

Example of the personal customer data we were able to access

Whose Data is Available

Since the database seemed to log users every time they logged in, and not just unique entrances, it was hard to pin down an exact number of users affected. However, we can say that thousands of visitors were logged into the system since January 2019. While most of the data remained on the server since the beginning of 2019, financial details appeared to be deleted on a monthly basis. We also determined that not every transaction was logged on this server, it seems that only failed payments attempts were stored here. The data that was found is a potential gold mine for hackers and identity thieves. The possible risks to the BazarChic user include:

Example of the leaked credit card information we were able to find 

If a hacker were to access the BazarChic data through the Kibana interface, they would easily be able to access system data that should remain private. While not all the info found will be directly beneficial to finding an exploit but it will surely help in performing reconnaissance on the system for more elaborate hacks. In any case, best practice is to expose the minimum amount of data about the underlying technology and backend system. The reason for this is that there are different known exploits & vulnerabilities for specific frameworks, technologies and platform versions. Identifying that a given site is using some unpatched software in its infrastructure which could be attacked using one of these exploits is easier if such logs as the ones seen in the leak are available. In the Kibana interface, we witnessed logs that indicate a brute force attack to the login mechanism. This tells us that what happens to the system is reflected in this database and can be used against it. This kind of system data could also include private data about the users in some cases (e.g. an HTTP request showing a POST request with a user’s email & password). This data could be used to attack or map the site and discover more resources from the web application.

How Did It Happen and How Can it Be Prevented?

We were able to identify an open Kibana interface with no authentication that contained sensitive information. This is a known issue in setting up Kibana and Elasticsearch servers – the systems are intentionally made to be internal and with no default authentication (since they are meant to be used for analysis & activity logging from within a company’s internal network). However, they are sometimes set up in a way exposing them to external networks and the internet, thus causing such leaks. To protect this server, BazarChic may first have to prevent it from being accessed from external sources and add a password authentication mechanism to the Kibana interface. There are several ways to add these security measures, depending on the implementation. In such cases, it’s also important to remember to change the default user & password. It’s also crucial to assign user roles for those with access rights to the data and set correct privileges so that only certain people will have access to sensitive data. Newer versions of Kibana should have security plugins & access controls already installed by default, so the server administrators only need to configure them properly. An additional related line of defense would be to make sure that the server is running with encrypted HTTPS communication in order to prevent the data from being sniffed. It’s also worthwhile to mention that logging sensitive data and saving it in clear-text should usually be avoided if possible. We strongly recommend that if you logged into BazarChic since the beginning of 2019 to take some steps to secure your online identity. This includes:

Who is WizCase? Why Should I Trust You

Wizcase is an international online security website that is translated into 30 languages. While our focus is on VPN reviews, comparisons, and tutorials we also have a dedicated Security Research Team. Once we uncover a data leak, we first contact the company and give them time to close their leak before releasing the data to the public.

Related Post: BREACH: Hospitality Management Platform Leaks Sensitive Client & Guest Data