Kant.ru, a large Russian retailer with 280 dealers and 500 points of sale, exposed an environment (env.) file on the company’s official website, the Cybernews research team has discovered.
An environment file serves as a set of instructions for computer programs. Leaving these files open to anyone might expose critical data and provide threat actors with various options for attacking.
In Kant.ru’s case, the file contained a treasure trove for any attacker – everything from management logs and official Telegram channel credentials to AliExpress app keys.
“All the exposed credentials in the environment file could enable threat actors to launch a wide array of cyberattacks on Kant.ru and its clients. Through the theft of customer personal and payment information, attackers can deploy spearphishing and malware attacks and commit transaction fraud,” researchers said.
After the article was published, Kant.ru contacted Cybernews saying that the company's “internal monitoring has not revealed any leaks of personal data.”
“We have taken all necessary measures to close access to files with credentials and to prevent intruders from leaking and gaining access to users' personal data, databases, servers and applications of Kant.ru. We believe that these issues have arisen in connection with updating process of the online store,” Kant.ru told Cybernews.
What kind of data was exposed?
The exposed env. file contained information about online marketplaces Sbermegamarket and Goods.ru, which are used by the affected company. While merchant passwords were not exposed, IDs and tokens were publicly available, providing information that could be used to develop targeted attacks.
The research team also found credentials to Graylog, a log management platform for collecting, indexing, and analyzing data. Exposed Graylog credentials could allow attackers to gain unauthorized access to Kant.ru’s databases, servers, and applications.
The exposed file also revealed credentials to multiple Telegram channels.
“Malicious actors could access the information stored within these Telegram channels, read conversations regarding orders, and be able to access clients’ details,” researchers said.
Emails and passwords for the B2Basket Ozon platform were also present in the exposed file. The platform is normally used to analyze sales, integrate application programming interfaces (APIs), and carry out other commercial tasks on users’ websites. Access to such information grants malicious actors insights into the company’s business performance.
The team discovered that the env. file held credentials to Mindbox, a customer experience management platform. By accessing Mindbox, attackers could tap into the private resources of Kant.ru and edit or delete the website’s data.
Finally, the exposed file contained an AliExpress app key, secret, token, and JSON web tokens (JWTs) that websites use to identify clients.
“If a token is stolen or compromised, the user’s account will be fully accessible to the attacker, just as it would be if the attacker had instead gained access to the user’s username and password,” researchers explained.
In theory, attackers could use the exposed token to take over a user’s AliExpress account and steal personal information stored there, endangering the safety of Kant.ru’s clients. Attackers could also exploit the exposed tokens to launch attacks against other systems that rely on the same tokens.
What should companies with exposed .env files do?
To mitigate the exposed files issues, the team advises to:
- Encrypt all sensitive data. Sensitive data, such as credit card details, should not be stored. Any information, whether at rest or in transit, must be encrypted if retention is required
- Implement zero-trust access
- Reset the IDs, tokens, passwords, and credentials
- Create secure, unique passwords, preferably generated randomly
Updated on October 26 [02:25 PM GMT] with a statement from the company.
More from Cybernews:
Subscribe to our newsletter