Social platform for the cricket community exposed over 100k entries of private customer data and admin credentials.
Cricketsocial.com, a platform for developing the cricket community online, left an open database with a trove of data, researchers at Cybernews discovered.
The open instance contains email, phone numbers, names, hashed user passwords, dates of birth, and addresses. While most of the entries seem to be test data, the team’s research shows that some of the entries are personally identifiable information (PII) and belong to legitimate site users.
A US-based LLC of the same name owns Cricketsocial.com. The platform’s partner list on the website indicates that apart from the Cricket League of New Jersey, most of the organizations listed on cricketsocial.com are based in India. The exposed database was hosted by Amazon Web Services (AWS) in the US.
Cricket is a bat-and-ball game with an estimated global following of 2.5 billion people. The sport is especially popular in India, the United Kingdom, Australia, South Asia, Southern Africa, and the West Indies.
“Even if all the information stored was test data, leaving data in plaintext is a poignant indication of bad security practices being employed. That creates unnecessary risks for unsound practices creeping into the production environment if left unchecked.”Cybernews researchers said.
The accessible database also exposed data, potentially detrimental to the website. For example, the database held what seemed to be plaintext credentials for a website administrator account. If the credentials indeed were correct, then threat actors could easily use this information to take over the site.
Storing passwords in plaintext format is extremely dangerous. Even if databases are not public facing, there are dangers of exposure. Intruders that penetrate a corporate database can immediately access passwords stored in such a way.
Alongside the admin’s passwords and user PII the open instance also holds all of the content stored on the website. The stored data includes posts, comments, number of likes, and links to images kept on the AWS storage bucket.
According to the researchers, another open instance owned by cricketsocial.com contains all the same types of information found in the first one. However, the second exposed database was much smaller and was likely used for development and quality assurance purposes.
Even though some information on the larger database was likely used for testings, security risks remain. According to Cybernews research team, since much of the information on the exposed database was stored in plaintext format, there are ample security threats.
“Even if all the information stored was test data, leaving data in plaintext is a poignant indication of bad security practices being employed. That creates unnecessary risks for unsound practices creeping into the production environment if left unchecked,” researchers said.
Since threat actors have multiple tools to distinguish which data points are for test purposes and which belong to real users, sifting the dataset for valuable information would hardly challenge a determined threat actor.
“Once that is done, information can be sold for substantial amounts of money. Threat actors could later use this information for identity theft or spam,” Cybernews researchers explained.
More from Cybernews:
Subscribe to our newsletter