Open in app

Sign in

Write

Sign in

More than 1200 businesses using TrustSales face the risk of data leakage

Elliot Alderson
4 min readOct 16, 2020

Summary

The Trustsales developer team always trusts the end-users and allows them to upload any file format to their system. Hackers took advantage of this loophole and took control of the server and the entire database.

Severity: Critical

Descriptions

Most Web applications allow the user to perform avatars changes, image and video sharing, file management functions, or product image management. This is one of the most important and popular functions on most websites. Moreover, the processing of these files is done on the Server-Side side, so this is one of the targets that hackers are especially interested in.

Applications that do not control the content of their uploads from the user or lack strict control can be used to hijack the server and database.

According to statistics from a global enterprise information technology security risk survey conducted annually by Kaspersky Global Corporate IT Security Risks Survey, published on April 9. Companies are most concerned about data breaches (34%), followed by data leakage from internal systems (31%). Especially businesses from Southeast Asia.

Personal data such as phone numbers, ID numbers, bank account numbers, or even more dangerous, the rights to manage sales fan pages may be leaked. These data can be used for public sale, people are bothered, frustration is becoming the worry of many people and businesses.

Around the world there have been many lessons about data leakage leading to many media and financial crises:

  • During the period from October 2014 to May 2019, data of more than 9.4 million Cathay Pacific customers worldwide was leaked because of its incomplete computer systems. This airline has to pay a fine of 500,000 British pounds (644,000 USD).
  • On January 7, at a forum where information of more than 5 million customers believed to be leaked from Mobile World was leaked, many people were confused.
  • On September 9, one of Razer’s Elasticsearch database failed, and more than 100,000 of its customers were disclosed.
  • Information of 235 million TikTok, Instagram, and YouTube accounts leaked data through the Crawling Data technique
  • Kaspersky released information that a customer organization had leaked data for 2 years, from 2017 to 2019. The cause of the problem is that an administrator’s account did not change the password, enabling hackers to enter the system and some workstations, setting up backdoors and collecting data of the system.
  • More than 160 million Zing ID accounts were exposed, including username, password, email, phone number.
  • The US Trade Commission FTC has accepted Facebook’s settlement worth nearly $ 5 billion for the Cambridge Analytica user information leak scandal in 2018. A series of other media also reported on the incident. this
  • In December 2017, the ride-hailing app firm GrabCar was fined for illegally disclosing the names and phone numbers of more than 120,000 customers in an email marketing campaign.
  • Student loan company Educational Credit Management was the victim of a data leak in 2010 when its mobile device was stolen. They said the theft affected 3.3 million people. Although it doesn’t involve banking or financial information, it contains a social security number.
  • In 2005, CitiFinancial, an affiliate of Citigroup, announced the loss of a package containing computer tapes sent via UPS. The tape records sensitive information, including name, social security number, address, payment history, and account numbers of 3.9 million new and old customers.
  • In 2009, electricity bill payment service provider CheckFree was attacked by cybercriminals, redirecting website traffic to a malicious website. At least 5 million customers have logged on with their accounts on the phishing website trying to pay for electricity. The actual number is probably higher because at that time CheckFree had 42 million users.

Will in the following days, data leaked map in the world has the name TrustSales?

Impact:

  • Leaking user data and data in the TrustSales organization
  • TrustSales server is hijacked

Mitigate:

  • Limit the formats allowed to upload to the server through the control (extension, mine-type, header file)
  • Set up the configuration on the Web Server server, prevent access to and execute ASPX, ASP, HTML formats in the Upload folder.
  • Rename the file after uploading it to a hash to make it difficult to guess. For example sha1 (file_name + salt)
  • Install Anti-virus on the server and perform a scan immediately and then periodically scan to detect and destroy malware
  • Perform a re-audit of the source code to detect malicious code or Backdoors added or modified by Hackers.

Exploit

<add name="sysmasterEntities" connectionString="data source=14.***.***.103;initial catalog=master;user id=cub****h;password=Cubetech****;" /> <add name="TrustSalesMasterRTUEntities" connectionString="data source=14.***.***.88;initial catalog=TrustSalesMasterRTU;user id=cub*****ch;password=Cubetech*******" />
Critical
Data Leak
Upload
Cybersecurity
Trustsales

--

--

Elliot Alderson

Written by Elliot Alderson

39 Followers

But I'm only a vigilante hacker by night. By day, just a regular cybersecurity engineer. Employee number ER28-0652

Help

Status

About

Careers

Blog

Privacy

Terms

Text to speech

Teams