Vending Machine Payment Processor Exposed 5 Million Records Online
Secure Thoughts partnered with Security Expert Jeremiah Fowler to expose a massive database of over 5 million records of partial credit card numbers, among other sensitive financial information. Here are his findings:
On Thursday March, 11th I discovered a non-password protected database that contained partial credit card numbers, payment details, and internal logging records. Upon further investigation it appeared that the publicly accessible dataset contained logs that captured activity across the network. The misconfiguration exposed 5.2 million records to basically anyone with an internet connection. Logging records are an important part of data monitoring for any business or organization. However, they also collect and store event data that can lead to sensitive information being exposed.
The misconfigured IP address redirected to a logging subdomain of a company called Modularity. According to a press release from March 2020 the fintech company Nayax acquired Modularity. Nyax sells cashless, telemetry, management, monitoring and business intelligence products for the vending and unattended retail industries. Modularity develops hardware-agnostic payment middleware with advanced features and capabilities enabling a variety of payment types.
Details of the Exposure:
- Total Size: 2.11 GB / Total Docs: 5,227,407
- Exposed records that contain internal logging and credit card numbers.
- Paybridge Data including pathway to Amazon database, merchant ID numbers, other internal data that could potentially be exploited.
- The exposure shows where data is stored and serves as a blueprint of how the service operates from the backend.
- Remote IP addresses and ports of the connected devices that accessed the network for what appeared to be merchant processing of payments.
- Middleware or build information that could allow for a secondary path for malware. Middleware is the bridge between other software or applications.
- IP addresses, Ports, Pathways, and storage info that cyber criminals could exploit to access deeper into the network.
The 2 indices were titled Graylog_0 and Graylog_1 and there was also evidence of a ransomware notice inside the database named “Read Me” that demanded Bitcoin or the records would be destroyed. Graylog is a centralized log management application that captures, stores, and enables real-time analysis of large amounts of data. Graylog can also be configured with rules to identify a wide range of security related issues or network intrusions.
I ran several search queries that identified keywords such as Visa, Mastercard, Amex, payment, and others that all yielded results. During the validation process I reviewed a large sampling of the 5.2 million records. We do not download or extract records and this would have been a very time consuming process to manually review each document. This would have slowed down the disclosure process when time is important. As a Security Researcher my goal is data protection and in this incident it was a race against the clock to notify the data owners before the records could be exploited or wiped out by ransomware.
Once I noticed that the dataset contained what appeared to be payment and credit card related information, I immediately contacted several individuals at Nyax and Modularity. The database was restricted to public access shortly after my notice. It is unclear what impact this exposure may have had on users or merchants. It is also unknown how long the data was exposed and who else may have had access to the logging records. No one replied to my responsible disclosure notice or a follow up request on March 24th.
Modularity is now a subsidiary of the global financial technology company Nayax and provides merchant financial services to a variety of retailers. Nayax serves customers across 65 countries, supports more than 350,000 points of sale worldwide and partners with over 70 global financial institutions. Nayax is also a licensed payment institution. Nayax processes payments for a wide range of devices such as drink vending machines, laundromats, public transport, car wash, paid restrooms, massage chairs, electric vehicle charging stations, photo booths, amusement machines, games and rides, and other unattended machines or services.
The Risk of a Log Exposure
Many people make the mistake of assuming that logging and monitoring records are harmless or low value targets. This is a huge mistake because these records can contain information about critical security flaws, failed or successful logins, details about the middleware used inside the network, data storage locations, and much more. Each small detail spread across millions of records can provide puzzle pieces to create a complete picture of the internal network or other sensitive information.
Security monitoring, alerting and reporting are a vital part of what logs do. These can often be million upon millions of records that include false alerts or common mind numbing actions. This data is useless without an application to parse those log files and create alerts, identify network intrusions or malware attacks.
Logging and monitoring records should have strict permissions concerning which users can access the directories, and the permissions of files within the directories. Obviously no organization wants to expose internal records online and the best way to protect this data is to ensure patch management, correct firewall configuration, user permissions, and use encryption if possible. If the records are encrypted this greatly reduces the chances of even the most sensitive data being exploited.
I would advise any company who collects and stores potentially sensitive information to regularly review their monitoring and logging processes. These records are sometimes kept separately from the core infrastructure and should also be included in penetration testing or other security measures.