A popular promotional gift platform, gs-jj.com, left 300,000 emails from customers exposed for months. The leak hints at potential Operational Security failures, as the company appears to be operating from China and served 2,500 emails sent from .mil and .gov domains.
On July 10th, 2024, the Cybernews research team discovered an open Elasticsearch instance belonging to EnamelPins Inc. This company behind the gs-jj.com service designs and manufactures emblematic accessories, such as patches, lapel pins, emblems, medals, and others.
Elasticsearch is a powerful search and analytics engine for quickly analyzing large amounts of data.
EnamelPins’s instance contained over 300,000 private emails sent between the company and its clients. Some emails contained full names, other private personal information, and product design documents. The exposed users also risk being targeted in spearphishing campaigns or other malicious activities.
Among the leaked emails, around 2.500 were from .mil and .gov email domains, belonging to different US military branch officers and government officials. These were mostly orders for products such as patches, coins, medals, and, in some cases, even battalion emblems.
“The emails and attachments exposed sensitive information about high-ranking military officials. They could be used to determine their position in certain Army units, phone numbers, email addresses, and shipping addresses. The attachments included designs for the emblems,” the Cybernews researchers said.
The research team also discovered other security issues with the website, such as leaked git repository configuration, folder, and file structure of the website. These hidden files appear to have been accidentally uploaded and left open inadvertently. They reveal the company’s operational links with China.
Leak raises OPSEC concerns
EnamelPins Inc. is a privately owned corporation registered in California, US. It was founded in 2018. The gs-jj.com service is primarily aimed at civilians.
However, the leak reveals that US Military and Government officials used the service to order items related to and unrelated to their official duties and operations.
“This leak illustrates how a simple emblem order may become a potential Operational Security failure within the US military and government,” the Cybernews researchers said.
This is also significant due to the rising US-China political disagreements and military tension.
Many details unveiled in the leak suggest that the affected service is operationally linked to China, which has laws that obligate companies to provide data to the government without clear boundaries.
The links to China include:
- A Publicly accessible Git configuration file revealed that the website’s source code repository is hosted on a server in China. The website’s assets are hosted on Alibaba Cloud, and the administration login page is in Chinese.
- Customer support communicates in broken English. Longer delivery times reflect shipping from China.
- The Company’s official communication on YouTube confirms they “have a complete expert team in China. Meanwhile, lots of offices and agencies have been set up in North America.”
It’s unclear where the company stores customer data. The US doesn’t have a law provisioning data localization, similar to the EU’s General Data Protection Regulation (GDPR).
“Due to the Chinese government’s broad powers to access data, it may be risky for US Government and Military officials to use Chinese services, especially in the official settings. This leak raises OPSEC concerns, as ordering patches, emblems, and other items can inadvertently expose ranks, divisions, and personal information,” the researchers said.
Data left leaking for months
Cybernews researchers responsibly disclosed the publicly accessible instances of Elasticsearch, git configuration file, and DS_Store file on July 11th, 2024. However, it took multiple follow-up emails and submissions to CERT (Computer Emergency Response Team) until EnamelPins closed the leak on November 5th, 2024.
The IoT search engines indexed the open instance even earlier, on April 22nd, 2024. The long exposure increases the risks of third-party threat actors accessing the data.
Cybernews researchers explain that Elastisearch instances with sensitive data, such as in this case, should be protected by firewalls, authentication, and authorization systems or features.
Cybernews contacted EnamelPins for additional comments regarding the leak but has yet to receive a response.
Disclosure timeline
- July 10th, 2024: Leak discovered.
- July 11th, 2024: Initial disclosure email sent, and multiple follow-up emails followed.
- August 26th, 2024: CERT informed.
- November 5th: Access to the data was closed.
Your email address will not be published. Required fields are markedmarked