Ecco, a global shoe manufacturer and retailer, exposed millions of documents. Not only could anyone have modified the data, but the server misconfiguration’s severity likely left the company open to an attack that could have affected customers all over the world.
It's no use carrying an umbrella if your shoes are leaking, an old Irish proverb says. Words that sum up the recent predicament of Ecco, a Danish shoe manufacturer and retailer with thousands of stores and sales points all over the planet.
Our research team discovered an exposed instance hosting a trove of data for Ecco. The team has identified that Ecco left 50 indices exposed to the public, with over 60GB of data accessible since June 2021.
Millions of sensitive documents, from sales to system information, were accessible. Anyone with access could have viewed, edited, copied and stolen, or deleted the data.
We reached out to Ecco but received no reply before going to press. However, at the time of publishing, the company appears to have fixed the problem.
Our research team recently discovered an exposed instance that hosts Kibana, an ElasticSearch visualization dashboard, for Ecco. Kibana allows processing of information on ElasticSearch, a storage facility favored by enterprises dealing with large volumes of data.
Even though the instance hosting the dashboard was protected with a basic Hypertext Transfer Protocol (HTTP) authentication, the server was misconfigured and allowed all Application Programming Interface (API) requests through. Under an umbrella with leaky shoes, indeed.
The misconfigured authentication allowed us to look up the index names on Ecco's ElasticSearch, revealing 50 exposed indices with over 60GB of data. The exposed servers contain documents ranging from sales and marketing to logging and system information.
According to the team, historical data indicates that the exposed database was left accessible for at least 506 days, since June 4, 2021. Over 35GB of data was added to the exposed database after the server misconfiguration opened a security hole in Ecco's infrastructure.
"A threat actor could change the visible code, naming, and URLs to phish or potentially make victims or employees install unwanted files, such as ransomware loaders or remote access tools on their browsers and devices, causing immense damage."Cybernews researchers said.
The names of indices on the open server show that millions of documents were revealed. For example, a directory named sales_org contained over 300,000 documents. Another directory, titled market_specific_quality_dashboard, had over 820,000 records.
As the table with exposed indices shows, millions of documents covering various aspects of Ecco's corporate life were accessible, from performance monitoring to information about system status.
Worryingly, the database appears to be linked with the ecco.com website, likely used by international Ecco websites, thus providing a skilled threat actor with the means to target the company globally.
According to the researchers, the capability to modify the data inside ElasticSearch would be a dangerous tool in the hands of persistent threat actors, allowing them to launch a campaign against Ecco stores, employees, and even clients.
"A threat actor could change the visible code, naming, and URLs to phish or potentially make victims or employees install unwanted files, such as ransomware loaders or remote access tools on their browsers and devices, causing immense damage," Cybernews researchers said.
False sense of security
The misconfiguration our team uncovered is of particular danger. Since Ecco's server is protected with HTTP authorization, the company's protection might treat it as 'safe,' allowing the issue to persist for so long.
The Cybernews researchers note that organizations ought to review their security policies and access more often, ensuring there are no inconsistencies, especially after each code push to the live environment.
"Preconfigured servers that worked fine in the past could have new versions of dependencies, leading to new security issues if left unchecked. Even when everything looks secure, it is still necessary to treat it as unsafe, for example, by sanitizing all the inputs," the researchers said.
While it's impossible to know if malicious actors took advantage of the Ecco leak, users are advised to keep an eye on the company's content to avoid malicious phishing attempts. A password manager with two-factor authentication is also suggested, to sidestep possible attacks.
"Knowing how to keep yourself safe, how to identify threats, and having strong authentication in place could save users from hours of headaches and possible financial loss," Cybernews researchers said.
More from Cybernews:
Subscribe to our newsletter