While the tracker platform claims that it encrypts data, more than 13 million screenshots containing sensitive information are public, putting users and clients at risk of attack.
On June 11th, the Cybernews research team discovered an unprotected Amazon S3 storage bucket associated with the WebWork Tracker application, operated by a software company based in Yerevan, Armenia.
The company provides multiple services to organize the workforce, such as tracking remote workers' time and productivity and billing services.
Clients using the company’s service include San Francisco-based remote hiring giant Deel, as well as businesses in Austria, the Netherlands, India, and the US. According to the WebWork Tracker website, the platform has over 140,000 users and serves over 15,000 businesses worldwide.
The company’s time tracking application takes screenshots of the users' screens to show the employer what the remote worker has been working on. The screenshots were uploaded to the company’s cloud, which was misconfigured and lacked authentication.
At the time of writing, the leaking bucket stored over 13 million logs and screenshots. The exact number of files is unknown, as the number of files is constantly rising.
On its website, the company claims the screenshots are end-to-end encrypted and stored on the Amazon S3 cloud to ensure security. However, this is not true, as encrypted data would be inaccessible without the decryption key, which is not the case with the leaking bucket.
A cybersecurity loophole can cause much more than just reputational damage. By not ensuring security, the company is violating data protection laws, such as the European General Data Protection Regulation (GDPR) or the California Consumer Privacy Act (CCPA). Violations can result in fines of 2% to 4% of the company’s total global annual revenue.
Moreover, a dataset left accessible on the internet becomes a treasure trove for threat actors and significantly increases the risk of a supply chain attack. Such cyberattacks target a weak point in a network, like a third-party vendor or supplier, to gain access to the organization's systems and data.
Millions of screenshots from remote employees' devices could not only expose personal data or confidential business information but could also contain credentials, API keys, and other sensitive information that could be exploited to attack businesses worldwide.
Cybernews contacted WebWork Tracker, and the leak was eventually closed. The company apologized and assured that they have advanced their security measures to prevent potential data leaks in the future.
To avoid leaking personal data, researchers advise the company to:
- Secure the exposed bucket with proper access controls and ensure it is password-protected
- Conduct a thorough security audit to identify and rectify any other potential vulnerabilities
- Implement regular security monitoring and incident response protocols
- Educate employees about data security best practices to prevent future breaches
- Leak discovered: June 11th
- Initial disclosure: August 13th
- CERT contacted: October 9th
- Leak closed: January 10th
Updated on the 10th of January after receiving the confirmation that the leak had been closed.
Your email address will not be published. Required fields are markedmarked