Lowe’s Market chain leaves client data up for grabs

A misconfiguration on a website owned by the US-based Lowe’s Market grocery store chain could have allowed threat actors to gain control of its systems.

On February 7, the Cybernews research team discovered a misconfiguration on the Lowe's Market website. The supermarket chain’s website was leaking a treasure trove of private credentials, which left the company vulnerable to potential attacks by cybercriminals.

Together, the compromised credentials could enable an unscrupulous hacker to gain control of most of the online store's functionality, see sensitive customer information, and abuse access to paid services, all while putting Lowe's Market customers at risk.

With almost 150 locations, the Lowe's chain primarily operates stores in Texas, New Mexico, Colorado, Arizona, and Kansas.

At the time of writing, the company has already fixed the issue. Cybernews reached out to Lowe's Market regarding the details of the misconfiguration and the possible duration of data exposure. However, the company has yet to provide a response to the inquiry.

Access to databases

Researchers found a publicly accessible environment file (.env) hosted on the Lowe’s Market website. Public access to the file posed a risk to the security of the company’s systems, as it was leaking sensitive data and numerous credentials.

An examination of the environment file suggests that the developers were not following the best practices, while poor security configurations might have led to more secrets, an industry term for vital data that should be kept private, being exposed.

The leaked secrets could have allowed threat actors to access databases as the hosts, usernames, and ports of main, tracking, legacy, recipe, and redis.io databases were exposed.

Database hosts and credentials are considered sensitive information, as they are used to access respective databases and their contents. In the case of Lowe’s Market, most database hosts are internet-connected, making it particularly easy for threat actors to access them.

Screenshot of environment file exposing database credentials | Source: Cybernews
Screenshot of environment file exposing database credentials | Source: Cybernews

Due to legal reasons, it is impossible to check the contents of the databases, but the titles suggest that some of them contained information about products, such as recipes, while others could have contained customer usage data.

At least one of the databases likely contained user information, as the company has limited support for online grocery purchases. One of the titles in the legacy database contained the word “billing,” leading researchers to assume that it may have contained private user data.

The environment file also revealed the access key to Amazon Web Services (AWS) S3 server and bucket name. This information could have been used to log in and access the bucket and its contents and modify or delete existing data.

While the AWS S3 bucket could have stored sensitive information, based on its name, researchers assume it stored only website-related assets.

“The bucket most likely only stored images used by the site and similar, non-sensitive assets,” said Cybernews researcher Aras Nazarovas.

“It is possible that it contained sensitive information as well, as we saw some cases like that, but there is no way to know in this particular case.”

A treasure trove of keys uncovered

The .env file contained numerous application programming interface (API) keys dedicated to a specific website’s functionality. Malicious actors could have used the leaked API keys and credentials to steal user information, change product pricing, and hijack most of the store's functionality.

One of these leaked keys, GrocerKey API, allowed access to partial credit card information, addresses, and top-spending users, as well as the ability to send unsolicited orders, issue refunds, launch ad campaigns, reset passwords, and check in-store and in-app balances.

The REST API key that enables querying user information was also leaked, and this could have allowed a threat actor to use it along with GrocerKey API to make unauthorized online purchases.

Some other leaked keys could have enabled threat actors to use the company’s official communication channels to send malicious messages across various platforms.

Leaked API keys | Source: Cybernews
Screenshot of leaked API keys and email credentials | Source: Cybernews

For instance, cybercriminals could have used the leaked Campaign Monitor, Pushwoosh, Loyalty Lane, and Postmark API keys to send emails, application notifications, and SMS messages to Lowe's Market users. In addition, the threat actor could have used leaked Inmar API keys and credentials to produce custom coupons with significant discounts.

Finally, the exposed Geocoder API key could have allowed a threat actor to gain access to the company’s Google Maps API. A malicious actor could thus exploit the key to use this access for personal gain, resulting in increased usage and, subsequently, higher bills that the company would be responsible for paying.

This is because each request sent through the Geocoder API to Google Maps would be charged to the company as the legal owner of that account.

“No sensitive information can be obtained, the only possible misuse would be to send requests through the API, or flooding the API with requests to a point where the account would be rate-limited, affecting the website's ability to display maps,” said Nazarovas.

Takeover of Facebook app

Along with the API keys, the environment file also exposed Facebook OAuth credentials and Github OAuth tokens.

Using the leaked Facebook app ID and secret key, the attacker could have requested sensitive user data from Facebook or taken over Lowe's Market’s Facebook application, with serious consequences for user privacy and security.

Leaking such sensitive information as the GitHub OAuth token could have been dangerous as it can provide unauthorized access to a user's Github account and the repositories it contains.

More grocery stores might be affected

Leaked usernames and email addresses showed that the Lowe’s Market website was developed and maintained by Webstop, which creates end-to-end digital solutions for grocery stores.

While Lowe’s Market is its biggest client, it has also worked with other grocery stores, including Mollie Stone’s Markets, IGA, Shurfine, Harps, and Great Lakes Food.

The leaked OAuth token for GitHub could have granted read-only access to all Webstop repositories. This access could have enabled a malicious actor to download the source code for Lowe's Market and other supermarket brands that were using Webstop services.

Furthermore, the leak put Webstop clients at risk of social engineering attacks, because simple mail transfer protocols (SMTP) credentials for the [email protected] account were also compromised, jeopardizing the company's email security.

SMTP credentials play a crucial role in ensuring the confidentiality and integrity of email communication, as only authorized personnel are allowed to access the contents of the email and send messages from a given address.

However, malicious actors could have exploited these leaked credentials to launch phishing attacks on Webstop’s clients, meaning cybercriminals could have sent unsolicited emails to the company's customers, luring them into downloading malicious attachments or clicking on phishing links.

Lowe’s Market is not the first in the US food industry to experience a data leak. In February, online grocery delivery platform Weee! leaked delivery data of 11 million customers. Attackers used a popular forum to share a database containing the information, exposing sensitive delivery-related details.