An unsecured database belonging to Fieldwork Software exposed customer names, credit cards, alarm codes, and other sensitive details.
vpnMentor‘s research team found a leak in the Fieldwork software database. Noam Rotem and Ran Locar, the heads of our cybersecurity research team, found a leaking database belonging to Fieldwork. Fieldwork offers small business software to manage their operations efficiently.
We found a large amount of exposed data in the breach. This included customer names, addresses, phone numbers, email address, alarm codes, signatures, client information, credit card details, photos, and other detailed comments. Most significantly, we found auto-login links that give access to a user’s Fieldwork service portal. The implications of this breach are extensive.
Of significant concern was a direct access link to the company’s backend system, and communication logs that detailed such information as alarm codes, building access details, and the location of clients’ hidden keys.
We contacted Fieldwork when we discovered the leak. They were professional and efficient after receiving our email. Fieldwork closed the leak 20 minutes after speaking to them.
Data Breach Impact
There was an extensive amount of information included in the data, even if only 30 days of logs were available. Though Fieldwork filtered passwords in some places, some of the templates that we viewed gave detailed information about finding account credentials. We also had free access to an auto-login link that was included in the database. This allowed access to the customer portal.
Access to the portal is a particularly dangerous piece of information. A bad actor can take advantage of that access not just by using the detailed client and administrative records stored there. They could also lock the company out of the account by making backend changes. Even if there were authentication steps involved in changing login information, it’s possible that some of this information was present in the open database.
Furthermore, if the login links were easy to organize, someone with malicious intent could easily save them. In that case, it wouldn’t matter if the database were closed. They would still have direct access to a large number of accounts. Saving the other account credentials in the database was always a possibility, but it would be a more time-consuming and challenging task. Access to the backend portal means someone could open a company’s records at any time, even after Fieldwork fixed the breach.
There is a significant amount of location data logged in the database, which, combined with the portal access, has severe consequences. This opens up the possibility of in-person theft or attacks. Not only do we have business addresses and GPS coordinates, but we have also detailed descriptions of how to enter a building or office. Because clients openly disclosed alarm codes or how to access their keys, there could be insurance consequences as well. Insurance companies could void a policy if policyholder negligence caused a break-in.
One danger of exposing email addresses involves malicious players using them for phishing attacks. If a company’s client list can be viewed along with the company email address, it is even easier to fool clients into opening an email that includes malware. This can give hackers direct access to a system that had no connections to this open database. Companies have a moral obligation to keep their clients’ data secure. In this case, any company using Fieldwork did not uphold this.
Advice from the Experts
There are a few simple steps Fieldwork could have taken to protect its database from the start. Here are a few expert tips to prevent or patch a breach in a database.
- Secure your servers.
- Implement proper access rules.
- Never leave a system that doesn’t require authentication open to the internet.
How the Breach was Discovered
Our research team uncovered this data leak in our extensive web-mapping project. Headed by Ran and Noam, they scan ports for known IP blocks. From there, the team can look for openings in the system. After finding a leak, they use their considerable cybersecurity knowledge to confirm the database’s identity.
Each time we discover a breach, we contact the owner of the database to alert them to the leaking data. If possible, we will also inform others affected by the openings in the system. Our goal with this project is to create a safer and more secure internet for users everywhere.
Fawkes, Guy. (2019, July 17). Report: Fieldwork Software Leaks Sensitive Customer Data. vpnMentor.