Late shipment? Retailers’ data leak may have allowed attackers to redirect it

Last updated: 8 October 2024
Peter Glenn leak
Image by Cybernews.

US outdoor sports retailer Peter Glenn has left numerous credentials exposed. The oversight leaves the business vulnerable to severe cyberattacks, including customer data and parcel theft.

The Cybernews research team has discovered that outdoor sports retailer Peter Glenn left a publicly hosted environment configuration file with credentials to multiple databases.

An environment (or .env for short) file is used to store highly sensitive information. Therefore, leaving the file open to anyone might expose critical data and provide threat actors with an array of options for attacking.

ADVERTISEMENT

In Peter Glenn’s case, the exposed file, which the team first discovered on June 28th, contained so many exposed credentials that two hands were not enough to count them all. Most worryingly, however, the company ignored our researchers’ attempts to reach out for months.

What did the Peter Glenn leak expose?

The short answer is nearly everything – the publicly hosted .env file contained at least 11 different credentials of varying importance. Our team believes that attackers could have a field day exploiting them, targeting Peter Glenn’s business and customer sides from various perspectives.

For example, the team discovered an exposed API key, which likely authenticates and authorizes access to the application’s API services. Malicious actors could use this key to enter restricted digital areas of Peter Glenn’s infrastructure, taking, modifying, or deleting data at will.

That alone would be damaging enough, but the publicly facing .env file also contained an App Key, a cryptographic key used for various security purposes within the application. With this in hand, threat actors could decrypt sensitive data, such as user sessions and tokens, leading to unauthorized access to user accounts and confidential information. It could also compromise the application's authentication and authorization mechanisms.

Meanwhile, an exposed AWS (Amazon Web Services) SES (Simple Email Service) key and secret open up Peter Glenn to have unauthorized emails, such as spam and phishing emails, sent out on Peter Glenn's behalf, damaging the company’s reputation. The .env file also included an AWS access key ID and secret.

According to the team, attackers could access and steal sensitive data stored in AWS services. Worst case scenario, if the configuration is not protected enough, attackers could even fully take over the AWS account.

“That could include customer information, sales data, and proprietary information. Malicious actors could modify, delete, or manipulate data, disrupt services, and potentially shut down critical systems,” researchers said.

ADVERTISEMENT
Sample
Sample of the leaked data. Image by Cybernews.

Celerant database credentials were also exposed. Retailers utilize Celerant to manage various aspects of their business operations, including point of sale (POS), inventory management, and e-commerce integration. Exposing Celerant credentials allows attackers to extract customer information, transaction records, and proprietary data.

Moreover, attackers may modify or delete data on Celerant. Another database the company exposed was labeled using the company’s name.

The following set of exposed credentials indicates that the company’s supply chain or parcel delivery algorithm was severely exposed to attackers. The team discovered exposed Mail username and password credentials, UPS access key, user and password, and ShipStation database credentials.

While allowing access to Mail allows attackers to send spam and carry out phishing attacks masquerading as Peter Glenn, UPS credential exposure enables malicious actors to generate fraudulent shipping labels and access UPS services, which could expose shipment details and customer addresses, compromising their privacy and security.

At the same time, malicious actors could use details from Peter Glenn’s ShipStation database to steal customer orders, shipping details, and transaction records. Even worse, attackers could manipulate order statuses, shipping labels, and inventory data, disrupting business operations.

Exposing ShipStation credentials should be particularly concerning to Peter Glenn’s customers, as businesses use the platform to manage e-commerce orders, including order management, label creation, and parcel tracking.

This sounds like quite a lot, but we’re not finished yet. The team also discovered that the .env file contained AWS CloudWatch credentials. Organizations employ the service to collect, access, and correlate a wide variety of data points across their AWS infrastructure, including logs, metrics, and events.

“If attackers gain access to CloudWatch log stream, they could monitor application logs for sensitive information, detect patterns, and exploit potential weaknesses. They could also manipulate logs to hide their activities or generate fake logs to confuse monitoring systems,” the team said.

Last but not least are the credentials to the Redis database, which businesses use for real-time analytics, asynchronous operations control and messaging purposes in applications.

ADVERTISEMENT

While the exposed credentials would only allow access to connections from a single endpoint, attackers could still use it to escalate privileges or move laterally within the network. However, if the company’s Redis database is outdated and hosted on the same server as other infrastructure, it could allow attackers to perform a full system takeover.

Wake me up when September ends

The team first contacted Peter Glenn on July 1st, 2024, and continued to send follow-up emails nearly every week until August 28th, with no response from the company. The publicly hosted .env file remained open throughout the whole period.

Since malicious actors continuously and persistently scan the internet for publicly facing databases, chances are somebody may have found it in the months since it was opened.

Finally, the team reached out to CERT so the authorities could contact the company and nudge it to solve the issue. On September 4th, we received a reply from CERT that our submission was resolved. However, according to researchers, Peter Glenn closed the .env file from the public sometime between October 1st and 3rd.

We have contacted the company for comment and will update the article once we receive a reply.

To mitigate the issues and avoid similar mishaps in the future, the team advises companies to:

  • Render the .env file inaccessible: using any type of authorization or authentication
  • Investigate access logs: to identify whether any threat actors have accessed the exposed sensitive information
  • Credential rotation: rotate all exposed credentials to mitigate current risks
  • Enhanced security measures: implement stricter access controls, use environment-specific configurations, and encrypt sensitive data at rest and in transit
  • MFA setup: ensure MFA is enabled in AWS and other exposed services to add an additional layer of security

Established in 1958, Peter Glenn is a retail company specializing in outdoor gear and apparel. The company runs several physical stores as well as an online shop. The company‘s shops are located in Florida, Georgia, Virginia, and Vermont.

Disclosure timeline

ADVERTISEMENT
  • June 28, 2024: leak discovered
  • July 1, 2024: initial disclosure email sent
  • September 4, 2024: CERT informed
  • October 1-3, 2024: file closed from the public
Share
Post
Share
Share
Share
More from Cybernews
Why ChatGPT’s sycophantic personality is a problem
What’s new on TV and streaming this week (April 28th-May 4th)
Meta’s AI will have explicit conversations with kids
Japan’s contest for the worst robots you’ve ever seen now accepts applications
Prime Vision's AI enhancements receive warm welcome from sports viewers
Single line of code could brick iPhones by sending malicious notifications
ADVERTISEMENT
Leave a Reply

Your email address will not be published. Required fields are markedmarked