CyberNews researchers found an exposed configuration file hosted on a Sky.com subdomain, containing what appear to be production-level database access credentials, as well as addresses to development endpoints.
Sky, a subsidiary of Comcast, is Europe's largest media company, boasting a 12% market share and a revenue of approximately £13.4 billion in 2020, as well as more than 31,000 employees and 24 million customers. UpLift Media, launched by Sky and Molson Coors in 2015, is an in-venue digital screen advertising network that operates digital screens in bars and other leisure venues across the UK.
During a threat intelligence gathering operation, our Investigations team came across an exposed configuration file that included plain text access credentials to multiple databases on a domain hosted by the Sky media conglomerate.
The configuration file, first indexed on an IoT search engine on September 7, appears to be the main configuration file of the application hosted on the ‘upliftmedia’ subdomain of Sky.com, and includes plain text access credentials to databases hosted on the Sky.com domain.
The IoT search engine that indexed the file enforces a ‘grace period’ of 30 days, during which the indexed leaks are only visible to ‘trusted users and researchers.’ This is presumably intended to help security researchers vetted by the search engine’s staff to secure the exposed devices and files indexed on the service.
Now, however, the URL to the exposed configuration file became publicly visible to anyone with a free search engine account, which might include malicious actors.
After we reported the issue to Sky on October 8, a company representative informed CyberNews that Sky has “taken action to address the issue.” Access to the configuration file has now been disabled.
Updated on 12/10: In a response to TechRadar's coverage of our investigation, Sky said it acted fast to mitigate the misconfiguration and that "customer data was never at risk, and there was no larger impact on its data or systems."
Updated on 14/10: we have added our response to Sky's reply, explaining the breach in detail.
To see if any of your online accounts were exposed in previous security breaches, use our personal data leak checker with a library of 15+ billion breached records.
What’s in the configuration file?
The unsecured configuration file appeared to contain, among other things:
- Production-level access credentials (including passwords in plain text) to databases hosted on the Sky.com subdomain, from localhost (development branch) to Windows Server (production branch).
- IP addresses and domain names that lead to development endpoints – specialized environments used by developers for testing and iteration.
Example of exposed database access credentials:
Note: Our researchers did not access any unsecured databases due to the potential ethical implications of accessing private databases without authorization.
Who had access?
While it’s unclear if any malicious actors or security researchers have accessed the configuration file before it was secured by Sky, the file itself was presumably indexed by the IoT search engine for at least 30 days prior to its publication.
Anyone who knew where to look could have accessed the data during that period and abused the authentication credentials found in the configuration file.
What’s the impact?
Without having accessed the databases themselves, it would be difficult to calculate the impact of this leak on Sky, UpLift Media, or their customers.
There’s no way to tell what data is being stored on the production server. With that said, exposed configuration files can serve as quick infiltration shortcuts for ransomware groups that could take a company’s servers and data hostage.
If the databases held personal user information, the impact of phishers getting their hands on that data could be massive: Sky.com email credentials could let malicious actors send phishing emails directly from the Sky.com domain, bypassing spam filters and gaining their victims’ trust in the process.
In addition, abusing database access credentials could help threat actors plant a shell interface on the Sky.com web server, potentially resulting in full website takeover, as well as expansion to Sky’s other corporate networks.
Losing plain text credentials for internal servers and databases can spell disaster for any company. Considering the massive scope of disruption a complete network takeover would cause to both Sky and its clients, ransomware operators or affiliates would pay extremely handsomely for a leak of this type on the black market. Such misconfigurations are prime targets for ransomware cartels and bad actors looking to profit from mistakes made by companies of Sky’s size and importance.
The importance of educating support staff on responsible disclosure
In 2021, organizations that wish to avoid security breaches must react faster than ever, which is why technical support staff needs to be acquainted with responsible disclosure procedures. While we commend Sky for fixing the misconfiguration issue quickly and efficiently, getting to the right person has proven to be somewhat difficult.
Unfortunately, it took multiple phone calls with Sky support staff from several unrelated departments before we could reach someone capable of understanding the problem.
Moreover, Sky’s responsible disclosure help page includes an ‘Ask Sky Community’ button, which presumably allows security researchers (or anyone else, for that matter) to report vulnerabilities and security breaches directly to Sky’s public message boards. It goes without saying that the inclusion of the button left us speechless.
When it comes to reporting security breaches, every minute counts, and with the number of cyberattacks growing at unprecedented rates, organizations must focus on educating staff about security policies and disclosure procedures before it’s too late.
On October 8, we reached out to Sky to inform them of the leak and help secure the exposed configuration file. We also asked the company for a comment and posed further questions regarding the incident.
On the same day, a Sky representative informed CyberNews that following an internal investigation, access to the file has been disabled and the servers are no longer accessible.
We will update the article as soon as we receive further comments from Sky.
Regarding Sky.com reaction to the breach
On the 12th of October, in response to TechRadar, Sky stated that "customer data was never at risk, and there was no larger impact on its data or systems." These are our statements in response to that:
- The leaked information included access and cleartext credentials to internal servers with IP addresses and databases. This can be compared to someone finding a little book with your social media passwords. It wasn’t just one database, too. The entire Sky Business service, with its topology, was fully exposed.
- We have not used the passwords to access the databases – it would be illegal to do so. However, as the credentials were available in plaintext, it would’ve been very easy for us or any threat actors to do so.
- The credentials were rather easily accessible: meaning that Cybernews may not have been the first or the only ones to discover it – we’re only the first ones to officially report it.
- Someone accessing the information using the leaked credentials would not be immediately caught – it would only show as “unusual behavior” to the sysadmins.
- The access remained available for at least a month. Combining that with the fact that sysadmins didn’t see the open access, it’s not only a question “WHEN” this issue would be exploited. It’s also a question whether someone else has done it already.
- The access could’ve been used for lateral movement, allowing the threat actors to gain additional levels of access through further exploits, gaining admin/root access, and spreading through the network.
- Sky is owned by Comcast – a large telecommunications conglomerate and an ISP. With enough lateral movement, this publicly available breach could’ve potentially been used to infect a wide range of servers
- One of the potential exploits is a massive ransomware attack, affecting the Sky.com users or potentially even the Comcast network. There is no proof that such an attack is planned. However, it is possible. If this information fell not to us, but a less ethical party, the consequences could’ve potentially been disastrous.
- Such information is sold on hacker forums for large sums of money – such misconfiguration with open access would’ve fetched a massive fee and likely affected a lot of innocent users.
- Sky comments that no information has been affected. Since then, it has since fixed the vulnerability and did not respond to our other queries, concerning whether the credentials belonged to Sky, what steps where taken to mitigate the incident, and what were the systems affected.
- Finally, we believe it’s important to note the distinction here. This was not a security breach. TechTarget states: “A security incident is an event that may indicate that an organization’s systems or data have been compromised or that measures put in place to protect them have failed.“. If someone used these credentials to access Sky’s databases, and used the information, that would be a breach. Here, it’s like if someone found Sky’s credit card – but did not use it.