Formget security lapse exposed thousands of sensitive user-uploaded documents - 3 minutes read
Formget security lapse exposed thousands of sensitive user-uploaded documents – TechCrunch
If you’ve used Formget in the past few years, there’s a good chance we know about it.
Formget bills itself as an online form maker and email marketing company based in Bhopal, India. The company allows its 43,000 customers to create online forms so others can submit their resumes or apply for a job, or provide proof of address or employment, buy goods online, and more.
How do we know? Because the company left one of its cloud storage servers online and exposed without a password.
An anonymous security researcher found Formget’s exposed Amazon S3 storage bucket and informed TechCrunch in the hope of getting the data secured. Formget pulled the bucket offline overnight after we reached out to the company on Wednesday. But the company’s founder and chief executive Neeraj Agarwal did not respond to several emails and follow-ups requesting comment.
The storage bucket was packed with hundreds of thousands of files and documents. The storage bucket had a folder for each year dating back to 2013 contained sub-folders for each month, filled with user-uploaded documents.
Some of the files we reviewed contained highly sensitive information, including:
These kinds of data exposures — where private data is mistakenly made public — has become a common security problem over the years. There have been several cases of inadvertent data exposures from changing storage server permissions to public. Earlier this year millions of mortgage documents were left exposed. Scraped Facebook data was up for grabs in a similar data leak. Last year, an entire Washington state internet provider left its “keys to the kingdom” exposed because of a configuration error.
Although companies often chalk up the exposures to human error, in reality it’s not so easy to inadvertently make private cloud data public.
One senior cloud security engineer who spoke to TechCrunch on background said that the major cloud services have worked hard to keep data safe by default.
“In the case of Amazon, the default settings on an S3 bucket are private — no direct unauthorized internet access is allowed,” the engineer said. Amazon also provides free tools for scanning a user’s cloud infrastructure to look for misconfigurations.
“When there are these reports in the news of massive leaks, it’s getting harder to point the blame at the cloud provider,” the engineer said. “On any installation in the past several years, developers have to go out of their way to expose these records.”
“Once an organization leaks data in a grossly negligent way like this, they have little to blame but themselves,” the engineer said.
Source: TechCrunch
Powered by NewsAPI.org
Keywords:
Document • TechCrunch • Internet • Email marketing • Bhopal • India • Customer • Résumé • Job • Argument • Employment • Trade • Product (business) • Online and offline • Company • File hosting service • Server (computing) • Online and offline • Password • Anonymous (group) • Security • Amazon S3 • Computer data storage • TechCrunch • Data • Online and offline • Email • Computer data storage • Computer file • Document • Computer data storage • Directory (computing) • Directory (computing) • Environment variable • User (computing) • Computer file • Information privacy • Computer security • Lawsuit • Facebook • Data breach • Internet service provider • The Keys to the Kingdom • Cloud computing • Cloud computing security • Security engineering • TechCrunch • Cloud computing • Data • Amazon.com • Internet access • Amazon.com • Cloud computing • Cloud computing •
If you’ve used Formget in the past few years, there’s a good chance we know about it.
Formget bills itself as an online form maker and email marketing company based in Bhopal, India. The company allows its 43,000 customers to create online forms so others can submit their resumes or apply for a job, or provide proof of address or employment, buy goods online, and more.
How do we know? Because the company left one of its cloud storage servers online and exposed without a password.
An anonymous security researcher found Formget’s exposed Amazon S3 storage bucket and informed TechCrunch in the hope of getting the data secured. Formget pulled the bucket offline overnight after we reached out to the company on Wednesday. But the company’s founder and chief executive Neeraj Agarwal did not respond to several emails and follow-ups requesting comment.
The storage bucket was packed with hundreds of thousands of files and documents. The storage bucket had a folder for each year dating back to 2013 contained sub-folders for each month, filled with user-uploaded documents.
Some of the files we reviewed contained highly sensitive information, including:
These kinds of data exposures — where private data is mistakenly made public — has become a common security problem over the years. There have been several cases of inadvertent data exposures from changing storage server permissions to public. Earlier this year millions of mortgage documents were left exposed. Scraped Facebook data was up for grabs in a similar data leak. Last year, an entire Washington state internet provider left its “keys to the kingdom” exposed because of a configuration error.
Although companies often chalk up the exposures to human error, in reality it’s not so easy to inadvertently make private cloud data public.
One senior cloud security engineer who spoke to TechCrunch on background said that the major cloud services have worked hard to keep data safe by default.
“In the case of Amazon, the default settings on an S3 bucket are private — no direct unauthorized internet access is allowed,” the engineer said. Amazon also provides free tools for scanning a user’s cloud infrastructure to look for misconfigurations.
“When there are these reports in the news of massive leaks, it’s getting harder to point the blame at the cloud provider,” the engineer said. “On any installation in the past several years, developers have to go out of their way to expose these records.”
“Once an organization leaks data in a grossly negligent way like this, they have little to blame but themselves,” the engineer said.
Source: TechCrunch
Powered by NewsAPI.org
Keywords:
Document • TechCrunch • Internet • Email marketing • Bhopal • India • Customer • Résumé • Job • Argument • Employment • Trade • Product (business) • Online and offline • Company • File hosting service • Server (computing) • Online and offline • Password • Anonymous (group) • Security • Amazon S3 • Computer data storage • TechCrunch • Data • Online and offline • Email • Computer data storage • Computer file • Document • Computer data storage • Directory (computing) • Directory (computing) • Environment variable • User (computing) • Computer file • Information privacy • Computer security • Lawsuit • Facebook • Data breach • Internet service provider • The Keys to the Kingdom • Cloud computing • Cloud computing security • Security engineering • TechCrunch • Cloud computing • Data • Amazon.com • Internet access • Amazon.com • Cloud computing • Cloud computing •