ADVERTISEMENT

Sky.com servers exposed via misconfiguration

sky leak featured image
Cybernews Team
Oct 8, 2021 Updated: 14 March 2022 4 min read
Now, however, the URL to the exposed configuration file became publicly visible to anyone with a free search engine account, which might include malicious actors.

What’s in the configuration file?

  • Production-level access credentials (including passwords in plain text) to databases hosted on the Sky.com subdomain, from localhost (development branch) to Windows Server (production branch).
  • IP addresses and domain names that lead to development endpoints – specialized environments used by developers for testing and iteration.
Sky servers leak<br>

Who had access?

ADVERTISEMENT

What’s the impact?

The importance of educating support staff on responsible disclosure

Unfortunately, it took multiple phone calls with Sky support staff from several unrelated departments before we could reach someone capable of understanding the problem.

Disclosure

Regarding Sky.com reaction to the breach

  1. The leaked information included access and cleartext credentials to internal servers with IP addresses and databases. This can be compared to someone finding a little book with your social media passwords. It wasn’t just one database, too. The entire Sky Business service, with its topology, was fully exposed.
  2. We have not used the passwords to access the databases – it would be illegal to do so. However, as the credentials were available in plaintext, it would’ve been very easy for us or any threat actors to do so.
  3. The credentials were rather easily accessible: meaning that Cybernews may not have been the first or the only ones to discover it – we’re only the first ones to officially report it.
  4. Someone accessing the information using the leaked credentials would not be immediately caught – it would only show as “unusual behavior” to the sysadmins.
  5. The access remained available for at least a month. Combining that with the fact that sysadmins didn’t see the open access, it’s not only a question “WHEN” this issue would be exploited. It’s also a question whether someone else has done it already.
  6. The access could’ve been used for lateral movement, allowing the threat actors to gain additional levels of access through further exploits, gaining admin/root access, and spreading through the network.
  7. Sky is owned by Comcast – a large telecommunications conglomerate and an ISP. With enough lateral movement, this publicly available breach could’ve potentially been used to infect a wide range of servers
  8. One of the potential exploits is a massive ransomware attack, affecting the Sky.com users or potentially even the Comcast network. There is no proof that such an attack is planned. However, it is possible. If this information fell not to us, but a less ethical party, the consequences could’ve potentially been disastrous.
  9. Such information is sold on hacker forums for large sums of money – such misconfiguration with open access would’ve fetched a massive fee and likely affected a lot of innocent users.
  10. Sky comments that no information has been affected. Since then, it has since fixed the vulnerability and did not respond to our other queries, concerning whether the credentials belonged to Sky, what steps where taken to mitigate the incident, and what were the systems affected.
  11. Finally, we believe it’s important to note the distinction here. This was not a security breach. TechTarget states: “A security incident is an event that may indicate that an organization’s systems or data have been compromised or that measures put in place to protect them have failed.“. If someone used these credentials to access Sky’s databases, and used the information, that would be a breach. Here, it’s like if someone found Sky’s credit card – but did not use it.
ADVERTISEMENT