CyberNews recently discovered that the digital marketing agency teamDigital was exposing multiple environment config files which contain sensitive data. By exposing this type of data, teamDigital is putting their own data and the data of their clients – big names like the NFL, Mastercard, Soundcloud, and more – at risk, potentially leading to ransomware, targeted phishing campaigns, and others.
An environment file (with a filetype .env) is the main configuration file of a web application that contains sensitive data needed for an application to work, including database credentials, email provider credentials, and API keys. For that reason, it should never be made publicly accessible or committed to a Git where it in some cases can be accessed by others.
Our researchers discovered three separate environment files that contained information to access teamDigital’s Mastercard, SMS tool, and FTP databases, including the League of Legends-related MasterCardNexus Twitter API keys, which would allow a cybercriminal to control much of that account.
We notified teamDigital of the exposed files immediately when we discovered them on October 9, 2020, and they reported to CyberNews that the issue was addressed the same day. A request for comment from teamDigital was not returned by the time of publishing.
Who is teamDigital?
These environment config files belong to the digital marketing agency teamDigital Promotions, Inc. located in Connecticut. Besides digital marketing, teamDigital also provides services related to legal compliance and administration, plus engagement solutions and platforms. According to teamDigital’s website, its clients include such top brands as:
- Carnival Cruise Line
- The 100-year-old clothing brand New York & Company
League of Legends, Mastercard and teamDigital client data exposed
Due to misconfigured environment files, CyberNews was able to access the data of some of teamDigital’s clients. It appears that teamDigital is using Egnyte, which is a cloud platform for sharing files, and whose website promises “a unified platform to govern and secure content everywhere.”
Due to the misconfiguration, anyone was allowed to view multiple environment config files, including:
- teamDigital’s FTP env file. We were able to view teamDigital’s FTP username and plaintext password. This file also contains the MastercardNexus (@mastercardnexus) Twitter API keys. MastercardNexus is the official Twitter account for @LoLesports for League of Legends, arguably the most popular esports title currently available.
- teamDigital’s SMS Tool env file. We were able to view teamDigital’s MySQL database username and plaintext password, its AWS access key and ID, and other related accounts.
- Mastercard Privacy API env file. Although we are unsure what this file is related to, it contains, again, plaintext MySQL database credentials, API keys, and other data related to Mastercard.
Example from teamDigital env file for its SMs tool:
Example from teamDigital’s FTP and MastercardNexus file:
What’s the impact of the teamDigital exposed files?
The true scope of the teamDigital environment config exposure would only be ascertained by accessing the various databases and understanding what permissions are granted, what data is contained in the FTP server, and so on.
However, we refrained from doing so based on legal and ethical reasons. Nonetheless, we can estimate the impact of the exposed files by looking at each in turn.
The FTP credentials and MastercardNexus Twitter API keys
If cybercriminals were to use the FTP details contained in the first env config file, they would be able to access teamDigital’s FTP server. While we can’t be certain what data is contained there, it is possible that it houses sensitive information about teamDigital’s business and its long list of popular clients, including the NFL, MLB, WNBA and others. What kind of data could a digital marketing agency have related to those brands? Most likely similar Twitter API keys, as well as other social media credentials. There may also be private, marketing-related materials that those brands would like to keep from the public eye.
Beyond that, with the MastercardNexus Twitter API keys, a cybercriminal would be able to access that account and tweet various messages, for example, during a League of Legends esports competition, such as the ‘Worlds’ championship that is currently in full swing. These could be similar to the cryptocurrency tweets of the Great Twitter Hack from July 2020, where multiple Twitter verified accounts tweeted out bitcoin-related scam messages. Seeing as Mastercard is a leading financial institution, these tweets might prove convincing.
teamDigital’s SMS tool and Mastercard Privacy
For these two env config files, we’re less confident about what could be done with the data contained there. First of all, teamDigital provides no real information that it even has an SMS tool. Nonetheless, it does have the MySQL database and AWS account credentials in the file, as well as the credentials for another service. With these, cybercriminals can access, steal and potentially manipulate those files.
Similarly, we are unsure what the Mastercard Privacy API env config file relates to. Cybercriminals would certainly be able to figure it out by accessing the MySQL database. Nonetheless, we believe this is related to teamDigital’s “legal compliance and administration” services, with multiple API get and post URLs provided in the file.
We disclosed the issue to teamDigital on Friday, October 9, 2020 when we discovered it. On the same day, teamDigital reported to CyberNews that the issue “has been addressed.” We confirmed that the environment files were no longer accessible.
In general, then, we can provide the following important steps to ensure your data is safe:
- For developers, at teamDigital and elsewhere, make sure that your .git and .env folders are not publicly accessible, and that your repositories are not visible. Even then, you should avoid committing sensitive keys and files to the repository
- If you are a client of teamDigital or a company connected to it, make sure to check your online accounts for any strange behavior. You should also review the communications between your company and teamDigital to see if any sensitive details were exchanged.
- Lastly, for users, depending on what social media credentials might have been exposed, make sure to be critical of suspicious tweets or other social media posts, even if those accounts are verified.