Sunday 15 April 2018

FAQ I True Mart data leak

On Friday, I published my findings into a data leak of citizen data by a company in Thailand. The Register also picked up on this story and the reaction on Twitter was relatively low.

However on Saturday, this all changed. My Twitter mentions feed was all in Thai and my DMs were filled with people asking for their data and what they should do.

To save my sanity and stop the spread of misinformation here are some clarifications in a Q&A style

Q. Did you hack the site?
No. I found the location. It was a lucky guess is the best way of describing it.

Q. True Corp are saying it is a hack?
It is a data leak. There was no security on the S3 bucket with the data. Google could have indexed it as well as any other search engine. If you found it, it was the same as browsing to a website.

Q. Did you download all of the data that was publicly accessible?
No. I selected 4 files at random to verify the contents of the bucket. Past those initial files that confirmed that this bucket was holding sensitive data, I did not download any other files. At this point, I notified True Corp of the issue.

Q. Have you a copy of my data?
No. I have deleted all files related to this disclosure

Q. Can you help me find if my data was in the leak?
No. I do not have a copy of the data nor can I check if your data was in the leak. You can however ask True Corp to verify that your data was not in that particular location

Q. What did you do once you found the files?
I notified True Corp support as detailed in my original post

Q. How many files were involved?
45736 files which were a mix of JPG and PDF files.

Q. How did you find out there were so many files?
I used a tool called s3-ncdu to generate a list of all of the files and file sizes in the bucket. This showed the folder structure and approximate files sizes.

Q. How long was the data available?
For at least from when I found it and until the 12-April-2018. It could have been available before that as well.

Q. Could someone else have found it other than you?
Yes. If I found it, someone else could have done so

Q. Could someone else have downloaded the data?
Yes. If they wanted to, they could have downloaded the entire bucket.

Q. People are calling you a hacker, is that true?
No. There was no hack here, the files were publicly facing on an unsecured system. This means that anyone could have found them with a careful Google search for example. No tools other than your browser (IE, Chrome, Firefox etc) are needed. What I did was find the issue, alert True Corp to the mistake and push that they fixed it before anyone else could find it and use it.

Q. Why did you wait one month before publishing?
To ensure that people's data was not put at risk by me publishing this information, I had to wait until the files were not available anymore. If I had published while the files were still available, someone else could have found it and used it for bad things.

Q. Why didn't True Corp respond?
When you send in information like this to a company, some are very good and will respond within minutes and fix the issue which is good. Others, take more time or do not have the correct processes in place to handle this type of problem.

Q. What is the risk to my data?
I don't know. I can give information on the technical part of this issue.

Q. What should I do if I am worried my data was in this leak?
Contact True Corp to verify that your data was or was not in the leak. Once you know, you can decide on the correct course of action for you.

Q. How could this happen that the data was not protected?
It could have been a simple oversight due to lack of testing or understanding of the security implications. Someone could have disabled security accidentally or worse someone could have turned it off maliciously which would a more worrying issue.   

Q. Where can I find more information
Please see the ThaiCERT page here

Q: Have you been contacted by the company after this?
No. They have not contacted me to ask for clarification on any of the issues.


Nan S said...

True Corps keep saying that they had been hacked or breached or...whatever the word they chose as long as it suit their needs. They even said that they have already report the police to reassure their customers.

I am just angry. Very angry. They treat us like fools.

นายอาร์ม said...

This is a shit show. True does not deal with this properly. They pulled a 'hack' card and think common people wont see through their lies. Some government official also said they want to prosecute you. Oh wow, what a dumb fuck but thats how Thai government deal with scandal. They just jail the whistleblower.

All I want to say is thank you for exposing True for what they are. Please keep up the good work.

woning said...

from my opinion, you did really good job. I don't accept the True's explanation that say the data was hacked.... what's hack? the data is opened public, and their response for this situation is really nightmare. they've taken a month to deal with this (and you had to follow up the case as well)i think it's not make sense. for now i dont know my information was in a list or not. the only thing i need to know that the truth from TRUE, why customer's sensitive data folders was public, how to handle it after this and how to support their customer.

Nan S said...

One thing I need to tell you. It seems True Corps plan to pin the blame on you no matter what.

CP, which is the corporation that own True Corps, literally run this country and no one can touch them. Please don't ever come here for your own safety (or at least until things die down). I can't say that they gonna arrest you but if they do, I don't expect them to be fair.

Again, thank you for what you did. We really appreciate it.

Unknown said...

You have good intension I admire you that.