Applause, a leading software testing company, inadvertently left its credentials open to unauthorized visitors, allowing attackers to make a move for customer data.
On July 21st, 2024, the Cybernews research team discovered a publicly hosted environment configuration file (.env) belonging to Applause, a leading provider of crowdtesting and digital quality solutions.
These configuration files are essential components of a system, holding values and settings to run in a specific environment. They should be protected at all costs.
Applause exposed a .env containing multiple credentials for its WordPress, Salesforce, Marketo, and Gotowebinar systems, which usually contain sensitive customer data.
“This serious leak could lead to unauthorized access to marketing data, customer information, financial records, and operational details. Applause works with some major companies, such as Google, Microsoft, Rolex, Dow Jones, Starbucks, and many more, making it a prime target for potential attackers,” our researchers explained.
Cybernews researchers disclosed the leak to the company on July 22nd. Applause responded swiftly and closed the leak. However, the credentials were first indexed by search engines for internet-connected devices in April 2024, meaning the environment file was left exposed for three months.
“We were notified in July of a potential access issue with a file on our website. We took immediate, transparent action to investigate. We conducted a thorough audit and confirmed that there was no unauthorized access to our systems or data and used this opportunity to further enhance our internal processes and systems. We consider the inquiry now closed and thank the researchers at Cybernews for the responsible disclosure,” the spokesperson for Applause said.
Customer data could be exposed
The Cybernews research team identified these credentials in the exposed configuration file:
- Credentials from Marketo, a marketing automation platform. A potential attacker could use these to gain access to marketing data, email campaigns, and customer interactions. The data can be further exploited in phishing attacks, spam, and exposure of sensitive data.
- SalesForce credentials, which provide full access to the platform. Unauthorized attackers could use them to steal data, approve transactions, and manipulate customer data, leading to significant financial loss and reputational damage. Additionally, attackers could use this data for targeted phishing attacks against Applause’s clients.
- Gotowebinar account credentials, exposing webinar schedules, participant data, and recordings. With these, an attacker could disrupt scheduled events, obtain participant information, and misuse recordings, leading to privacy breaches and disruption of business operations.
- WordPress Rocket credentials. WP Rocket is a popular content caching and performance optimization plugin. If compromised, attackers potentially degrade website performance or inject malicious content, disable caching, and manipulate other settings, leading to increased server load, slower page load times, and a worse user experience.
- Location of the WordPress debug log, a diagnostic tool used to troubleshoot issues on a website. The log can reveal detailed error messages, system paths, and other useful information to attackers looking for potential vulnerabilities and misconfigurations. This information can be used to launch further attacks.
“Given the significance of this leak, it’s important to protect the instances as soon as possible to avoid significant implications,” our researchers said.
.env becoming the weakest link in system security
Applause isn’t alone in leaving sensitive files public. Cybernews researchers previously discovered at least 58,364 unique websites that are vulnerable to data breaches and even complete takeovers due to exposed .env files.
“The configuration file is an essential part of any system. Multiple mistakes can lead to inadvertent exposures, such as access control misconfigurations, forgetting to update the .gitignore file, lack of IP whitelisting, insufficient use of secure and encrypted storage solutions, and others. It’s necessary to periodically check web server configuration, use online scanning tools, or manually try to access .env file through a web browser,” Cybernews researchers said.
If such an incident is detected, website administrators should immediately render the .env file inaccessible using any type of authorization and authentication to mitigate it. Cybernews researchers also recommend doing the following:
- Investigate access logs to identify whether any threat actors have accessed the exposed sensitive information.
- Rotate all exposed credentials to mitigate current risks.
- Implement stricter access controls, use environment-specific configurations, and encrypt sensitive data at rest and in transit.
- Inform affected users and regulators if needed.
Your email address will not be published. Required fields are markedmarked