A critical server for popular weight-loss service Weight Watchers was left unprotected, allowing researchers to take a bite out of dozens of exposed S3 buckets containing company data and AWS access keys.
Researchers at Kromtech Security said that they discovered a Weight Watchers Kubernetes administration console earlier this month that was accessible over the Internet – without any password protection.
Weight Watchers, which has been notified and has secured the console, said that its infrastructure was not compromised. A Kromtech Security spokesperson told Threatpost that researchers did not see any personally identifiable information exposed.
“[Weight Watchers] also confirms that no customer data was impacted,” the spokesperson told Threatpost. “However, the danger of the exposure is the availability of the root administration keys online that – potentially – could have opened many doors for malicious actors.”
The researchers said the open console was Kubernetes, an open-source container orchestration tool developed by Google, that automates the deployment and monitoring of application containers.
Researchers said there was no password set for the Kubernetes cluster, which was found on at least three IP addresses with a kubelet port (specifically, port 10250) exposed.
That allowed access to all of the pod’s specifications, including the AWS access key (access key ID and secret access key) and several dozens of S3 buckets with company data, the researchers said. Overall, there were 31 users, including a user with root and administrative credentials and applications with programmatic access, impacted.
“The words ‘public without password’ and ‘administration interface’ should never go together,” Kromtech Security researchers said in a post on Friday. “By not properly protecting the administration console, Weight Watchers provided all the keys and information needed to gain full root access to their entire cluster. It was too easy.”
The Kromtech Security spokesperson told Threatpost that Weight Watchers responded “in a timely manner and secured the console within same day, claiming though that this was a testing environment.”
Weight Watchers did not respond to a request from Threatpost for further comment. According to Kromtech Security, Weight Watchers sent the researchers this response:
Thanks again for responsibly disclosing your issue. We really appreciate the community working to make us all safer. We have confirmed the issue – a security group for a test cluster in our non-production account was misconfigured during testing.
The issue should be resolved and keys should be revoked. We’ve also implemented some safeguards to protect against this issue from recurrence.
But Kromtech researchers said that even if it was a test Kubernetes cluster, “the DevOps responsible for it has no excuse. [The] Kubelet connection is not secure enough to be run across the internet. SSH tunnels must be used to securely put packets onto the cluster’s network without exposing the Kubelet’s web server to the internet,” they said.
Kromtech researchers suggested that companies protect their administration interfaces via an array of measures, including restricting port ranges at the firewall and forcing access only via secure sockets.
“All of this should be done even if it’s strictly on an internal network,” they said. “Reports are rife with internal machines accidentally ending up out on the internet.”
Publicly accessible unprotected databases, administration interfaces and storage buckets have continued to be a simple-to-fix yet alarmingly widespread issue, resulting in reams of exposed critical data. Also, in May, researchers established a PoC attack that could allow unauthenticated bad actors to extract user credentials from misconfigured reverse proxy servers, to extract data from websites and applications.
Source: ThreatPost