A misconfigured Elasticsearch server exposed the personally identifiable information (PII) of at least one million users of a Chinese-run VPN provider. According to WizCase, the privacy concern impacts Quickfox, a free VPN used mostly by the Chinese diaspora to access sites that are otherwise inaccessible from outside mainland China. Unfortunately, Fuzhou Zixun Network Technology, the owner of Quickfox, had not properly set up its Elastic Stack security, leaving an Elasticsearch server unprotected and accessible — with no password protection or encryption in place.
Ata Hakcil headed a team of ethical cyber researchers who discovered a serious leak that exposed Quickfox's ElasticSearch server. The leak was caused by a security flaw in the ELK stack. Elasticsearch, Logstash, and Kibana (ELK) are three open-source applications that make searching enormous files easier, such as the logs of an online service like Quickfox.
Quickfox had put up access controls in Kibana, but they hadn't done the same for their Elasticsearch server. Anyone with a browser and an internet connection might gain access to Quickfox records and extract sensitive information about Quickfox users.
Around 500 million records totaling over 100GB of data were exposed as a result of the incident. There were primarily two categories of data in the information. The personal information of around 1 million users was the first type. The second type concerned software installed on over 300,000 users' devices. The documents discovered were all dated between June 2021 and September 2021.
According to the IP addresses discovered in the breach, it mostly affected individuals in the United States, as well as countries bordering China, such as Japan, Indonesia, and Kazakhstan.
Customers' emails, IP addresses, phone numbers, data to identify device kind, and MD5 hashed passwords were among the PII revealed. MD5 is far from safe, according to WizCase, and can be cracked with modern technology. This would have been enough for criminals to use phishing emails, vishing phone calls, and other methods to obtain further sensitive information such as credit card or bank account numbers.
“The leaked information about device type and installed software could make this con very convincing,” warned WizCase. “It’s unclear why the VPN was collecting this data, as it is unnecessary for its process and it is not standard practice seen with other VPN services.”
Cyber-criminals could try to hijack other accounts across the web by unmasking MD5 hashed passwords and using credential stuffing tactics, WizCase said. It advised consumers to thoroughly vet VPN providers before selecting one and to be aware that free services may benefit from the collection and use of client data.