Friday, 13 April 2018

Another telco is failing at security

Update: 14-04-2018 : True Corp have issued a statement and clarification that this only affected their subsidiary I True Mart. Details in Thai 

Back in January 2018 while at NDC London, Scott Helme introduced me to an interesting new technique for finding Amazon S3 buckets, Using the certificate transparency logs that are created when someone creates a new certificate, you can use the domain names as the wordlist for finding buckets. Its a novel approach as normally most people use the Alexa top 1 million list.  

Luckily there was a tool already for this on GitHub called bucket stream. I demo’d it at NDC Security Day in Oslo and left it for a bit before coming back to it again in March and deciding to do some digging and see what was out there. After about one hour, I had circa 500 open addresses.

What bucket stream doesn’t show is the content of the buckets, only that they are open, and the permissions associated. To get the contents, you can either visit the site manually and scan it or find another tool. In this case, that was bucket-finder which will list the contents of an S3 bucket and give you the public or private attributes.

Having an open S3 bucket is not a bad thing. For example, you can use it as storage for a website or other such things, but when you use it for storing sensitive data and leave it open, this is a serious problem

The output from bucket-finder showed several issues such as config files, source code and other potential information disclosures. Bucket finder only gets the top 1000 files via the AWS S3 API. To simplify things, I loaded the results into a small SQL database for analysis. I found all the sites that had 1000 files and did a quick visual scan to see what they contained and if there was a way to identify the owner if the need arose. 

One such owner was True Move H, the second largest mobile operator in Thailand (source: Wikipedia). Their name was in the folder that contained many files mainly JPGs and PDFs. The interesting thing that was I first observed was it was the format of truemoveh/idcard/YYYY/MM/FILENAME. 

I checked the first couple of files in the directory and it was a picture of a Minion from Despicable Me and some were logos. This led me to believe that it was a development server, but the site name contained -prod, so I scrolled further down and opened a later file which was a scanned ID card of a Thai citizen.





At this point, I realised that they were storing scanned ID cards that they got from customers in this S3 bucket and there was no security on it at all protecting the files. Simply, if you found the URL, you could download all their customers scanned details.

In all over 32GB of data existed in this bucket totalling 46K files, neatly organised by year.




I connected with True Move H on Twitter to ask for some contact information and they sent me to their support email address.



I sent the details to their support department a full report on Saturday 10-Mar detailing how this was found, examples of the files that were available and asking to talk to their security team. 

The response was quite shocking. They admitted not having a security department and that I should contact their head office between business hours





Now it was a case of trying to figure out what to do. I contacted Scott Helme to get his advice on the most effective course of action. He suggested that I should contact some journalists to help put some pressure on them to get this blatant problem fixed. Scott connected me John Leyden of The Register who also pushed True Move H to fix it.

We had heard nothing for 2 or 3 weeks and I decided that I was going to press the issue finally and told them on Mon 02-April that I would be publishing an article the following week.


On Wed 04-04 both John and I received identical messages from True Move H, saying that a team had been informed and were working on it. 



I checked again on Thursday 12-April 10:00 to verify if the files were available still and they were. At 19:00 they had finally been made private.

Unfortunately, this is not the first time this company has had issues with ID cards. Back in 2016, True Move H issued a sim card to a thief without checking ID first and the person linked to the SIM card lost a substantial sum of money. 

Along with T-Mobile Austria last week and other telco's are serious failing at security and protecting their customers privacy. You should connect with your provider and ask what they are doing to ensure this type of thing doesn't happen.

Update: 14-04-2018 : True Corp has issued a statement and clarification that this only affected their subsidiary I True Mart. Details in Thai 

5 comments:

John said...

A couple of years ago the Thai government announced all SIM cards had to be registered and everyone had to go to their mobile provider and get their passport or ID card scanned. That's why they have these scans. 46k would be only a subset of all that they hold.

Gingerbread said...

Niall, in the official statement True claims that they do not own the S3 bucket and the information was stolen and uploaded to that bucket. Is there a way to verify the owner of that bucket?

Niall Merrigan said...

Do you have a link to the statement?

ManuTz SonG said...

I could not find any website where they post about official statement. However, you can read it from some trusted news website here (In Thai language)

http://daily.khaosod.co.th/view_news.php?newsid=TUROd01EVXdNVEUxTURRMk1RPT0=&sectionid=TURNek5RPT0=&day=TWpBeE9DMHdOQzB4TlE9PQ==

P. Thiti said...

Dear Mr. Merrigan,

I would like to thank you for your help in preventing the data leaks from Truemove H company and I guess that I might be a victim of this incident too.

As comments above, I also heard that True stated that the data was hacked but I haven't seen the real statement yet.

Since now both Truemove H company and our government offices are enjoying the long holiday, there is no update until Tuesday 17th.