Howdy, Stranger!

It looks like you're new here. If you want to get involved, click one of these buttons!


Gearbest Data Breach - IMPORTANT
New on LowEndTalk? Please Register and read our Community Rules.

All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.

Gearbest Data Breach - IMPORTANT

MikePTMikePT Moderator, Patron Provider, Veteran

As per: https://www.vpnmentor.com/blog/gearbest-hack/

Led by Noam Rotem, a well-known white hat hacker and activist, VPNMentor’s research team discovered a major security breach in Gearbest.

With hundreds of thousands of sales every day, Gearbest is a highly successful Chinese e-commerce company.

The site sells a range of electronics and appliances, as well as clothing, accessories, and homeware. While it sells some internationally-known brands like OnePlus, most are smaller Chinese brands.

It ships to more than 250 countries and territories across the globe, and ranks in the top 100 websites in almost 30% of these regions. Gearbest has subdomains in 18 languages, generating global appeal.

Gearbest is owned by Chinese conglomerate, Globalegrow. The parent company operates several internationally successful sites, including Zaful, Rosegal, and DressLily. In 2015, their sales hit $550 million; 2017 saw the company celebrate a $1.48 billion turnover.

The company’s runaway success is a triumph for Gearbest and its sister companies. However, it’s not such great news for the sites’ customers.

vpnMentor can exclusively reveal that Gearbest’s database is completely unsecured – as are those belonging to its sister companies.

Gearbest Data Breach
Our hackers could access different parts of Gearbest’s database, including:

Orders database
Data includes products purchased; shipping address and postcode; customer name; email address; phone number
Payments and invoices database
Data includes order number; payment type; payment information; email address; name; IP address
Members database
Data includes name; address; date of birth; phone number; email address; IP address; national ID and passport information; account passwords
We accessed these databases in March 2019, and discovered 1.5+ million records.

Gearbest’s database isn’t just unsecured. It’s also providing potentially malicious agents with a constantly-updated supply of fresh data.

Security Issues
Aside from our ability to access complete sets of personally identifiable information for millions of users, Gearbest’s data breach raises several other very serious issues.

User Privacy
Gearbest’s Privacy Policy states that while they do collect user information, it is with the focused purpose of serving their customers.

The privacy policy also specifies that while users are responsible for their own passwords, they encrypt sensitive information and employ external verification software to protect customers.

The data viewed as a result of this hack reveals this to be untrue. We saw lots of sensitive information – including email addresses and passwords – that was completely unencrypted.

Additionally, the database contains large amounts of personally identifiable information that is not required when completing the duties of an e-commerce store. For example, a shipping address is crucial to fulfilling orders. An IP address is not.

This is particularly worrying given the current trend towards a more open and honest internet. Services providers across multiple industries, ranging from CyberGhost VPN to Walmart (both of whom have recently published transparency reports), strive to increase transparency for their customers. Gearbest’s shady practices do the opposite.

Gearbest seems to infringe on their own privacy policy. However, this isn’t the most significant risk to user privacy here.

User Safety
An open database filled with personal information can compromise users’ safety online. The records we saw show full sets of unencrypted data, including email addresses and passwords.

(It’s worth noting that some email addresses contained some hashing. We don’t know if this was intentional and should have appeared everywhere, or if some of their data corrupted. Our hackers believe that it was a partially-implemented security measure that is simply not doing its job.)

The screenshot below shows snippets from two set of user data we harvested from the database.

We were able to log in to these two Gearbest accounts and operate them as if we were the users. We could view current and past orders, accumulated Gearbest points, and change the account password and details.

Hackers could use this information to create “local” damage: by accessing user accounts using their email and password, they can change user orders, manipulate account details, and spend monies from saved payment methods.

However, this information could also be used in a far more sinister way. By cross-referencing different databases, hackers could easily steal Gearbest’s customers’ identities.

As seen below, the Members database includes this user’s IP address, full postal address, email address, birth date, and, most worryingly, their national identity number.

Depending on the country and requirements, this could be enough information to give hackers access to online government portals, banking apps, health insurance records, and more.

Payment Details
When examining the Payments and Invoices database, we noticed the term “Boleto” appeared multiple times, exclusively in reference to Brazilian orders (Brazil accounts for 9.2% of Gearbest’s global traffic).

It refers to Boleto Bancario (literally, “Bank Ticket”), a payment method which is regulated by the Brazilian Federation of Banks.

It’s similar to the Oxxo payment system used in Mexico. Oxxo allows users to create a voucher which functions like a debit card: users load the amount of their choosing, and can spend what’s available. Each voucher features a unique bar code; this gives users access to their money.

In the database we accessed, payments made using either of these methods include a URL for “ebanx.” These links show the active vouchers used, complete with their cash amounts. The data also includes Oxxo and Boleto vouchers’ unique barcodes; this information allows hackers to act as users. We could also access customer’s receipts, complete with their banking information.

Order Details: Sex Toy Scandal
The exact content of people’s orders is visible on the Orders database. The exact make, color, size, and cost of each item can all be viewed, along with the user name and shipping address.

Compared to other information available across these unprotected databases, this doesn’t seem particularly shocking. However, the content of some people’s orders has proven very revealing – and in some instances, even life-threatening.

Hidden in the “Sales” section of Gearbest’s “Apparel” category, users can find a vast array of sex toys. The nature of the store’s open database means the details of your private purchases could quickly become public knowledge.

For many adults across the world, purchasing sex toys is not problematic. For example, the orders shown in the image below belong to people in Brazil and Greece.

These countries have very permissive laws regarding sexuality and homosexuality. For context, Brazil hosts the world’s largest Pride parade, and same-sex relationships have been legal in Greece since 1951. While the content of such orders being released could be embarrassing for the buyer, the publication of such information could not result in legal repercussions.

However, this is not the case everywhere. While examining the database, we came across order information for a male Pakistani user.

This customer purchased a silicone dildo; in fact, further inspection of the database shows that he actually bought three. Each purchase includes slightly different information, which is why a street address does not appear in the image above.

Pakistan does not enjoy the same liberal attitude to sexuality that many Western countries take for granted.

The country’s strict laws stipulate that adultery and pre-marital sex are criminal offenses punishable by imprisonment and fines. The country’s religious laws also allow for death by stoning or corporal punishment.

LGBT rights are limited, and the same punishments are applicable. The LGBT community also suffers social stigma, a lack of legal protection, and an Islamized society which precludes acceptance of LGBT people.

It’s also worth noting that culturally, it is unlikely that buyer made this purchase for his buyer’s wife.

These laws make our Pakistani shopper a prime example of why Gearbest’s open database is so dangerous. A simple search gave us his full name, email address, street address, and IP address. A more detailed search could probably show us his date of birth and account password, letting us see his previous order information.

We’re not malicious and are sharing this (highly censored) information to highlight the dangers of this open database. Others may have very different intentions. In the Pakistani government’s hands, this information could mean a literal death sentence for this user.

How Gearbest is Harming Itself
Gearbest is exposing millions of users’ data. However, the company is also hurting itself.

The indices our hackers discovered aren’t just for their user databases. They also included URL access to Gearbest’s – and Globalegrow’s – Kafka system.

Kafka is a data management program that helps large corporations control the amount of site data sent through each of their servers. This serves two purposes: it prevents server overload and maintains efficiency, and allows companies to collect big data.

This kind of access allows malicious hackers to manipulate information, reassign database properties, and even disable entire sections of the company’s server. Depending on the function of each server, this could disrupt data collection, order placement, and stock and warehouse management.

Ethical Hacking
We discovered this breach as part of an ethical hacking project. Noam Rotem, a well-known white hat activist and hacker, along with Ran L. and their team, is running a web scanning project which examines IP blocks and system holes for data leaks.

They verified the database’s owners by creating, entering, and identifying data.

They discovered that Globalegrow’s entire database is unprotected and mostly unencrypted. The company uses an Elasticsearch database, which is ordinarily not designed for URL use. However, we were able to access it via browser and manipulate the URL search criteria into exposing up to 10,000 schemata from a single index at any time.

As ethical hackers, we are obliged to reach out to websites when we discover security flaws. This is especially true when a company’s data breach affects so many people – and in Gearbest’s case, this issue impacts hundreds of thousands of people every day.

However, these ethics also mean we carry a responsibility to the public. Gearbest shoppers should be aware of the risks they take when using a site that makes no effort to protect its users.

We repeatedly contacted both Gearbest and Globalegrow to inform them of this breach, and to let them when we would be publishing this article. They had several days’ notice. Unfortunately, our repeated attempts to ask these companies to step up and protect their users have been unsuccessful. At the time of publication, we were yet to receive a response.


Advice: Change your information to something fake and delete any payment methods you have there or agreements. These guys don't care about security.

Thanked by 2Ympker coreflux
«1

Comments

  • Prime404Prime404 Member
    edited March 2019

    Not really surprising, they have been hacked in the past without knowing they even got breached and they never did do anything to warn their users about it. As far as I know they never even fixed the issue that caused past security breaches either and that is their apps are leaky as shit, and do not properly validate the information.

  • Advice: Change your information to something fake

    If they already accessed the data, what's the point?

    and who the hell is giving their national ID (I assume this is SSN/NI number) to gearbest?

  • MikePTMikePT Moderator, Patron Provider, Veteran
    edited March 2019

    @hostnoob said:

    Advice: Change your information to something fake

    If they already accessed the data, what's the point?

    and who the hell is giving their national ID (I assume this is SSN/NI number) to gearbest?

    Hi,

    Not actually. These hackers didn't do anything malicious, but since the issue is still not fixed, pretty sure some hackers will take advantage of it, so perhaps there's still some time.

    Thanked by 2netomx hostnoob
  • wtf with unencrypted password. I'm glad using unused email and random password there.

  • Sucks to be the gay Pakistani fellow with 3 dildos on or about (or even inside) his person.

  • @dahartigan said:
    Sucks to be the gay Pakistani fellow with 3 dildos on or about (or even inside) his person.

    Only until they track him down.

  • TL;DR: Move away from GearWorstBest

  • #dildos

  • Is there a way to delete information from old orders?

  • @MGarbis said:
    Is there a way to delete information from old orders?

    Probably a few - just got to poke around their db a bit apparently ...

  • @MGarbis said:
    Is there a way to delete information from old orders?

    Nope.

    Thanked by 1MGarbis
  • Feature-first development. #WINNING

    Thanked by 1coreflux
  • According to researcher's Twitter page breach has already been fixed:
    https://mobile.twitter.com/noamr/status/1106465743317712896?s=21

  • jackbjackb Member, Host Rep
    edited March 2019

    (It’s worth noting that some email addresses contained some hashing. We don’t know if this was intentional and should have appeared everywhere, or if some of their data corrupted. Our hackers believe that it was a partially-implemented security measure that is simply not doing its job.)

    Sounds like the person writing it up or "their hackers" misinterpreted something. You don't partially hash an email as a security measure. You either do hash or you don't hash, and if you do you can't send emails to that user..

  • NeoonNeoon Community Contributor, Veteran

    Fuck, all the Sex Toys I ordered, all public now. Dang it.

    Thanked by 1t0m
  • @Neoon said:
    Fuck, all the Sex Toys I ordered, all public now. Dang it.

    I noticed that you ordered 30 rubber fists..

    Thanked by 1t0m
  • NeoonNeoon Community Contributor, Veteran

    @dahartigan said:

    @Neoon said:
    Fuck, all the Sex Toys I ordered, all public now. Dang it.

    I noticed that you ordered 30 rubber fists..

    Thanked by 1netomx
  • @Neoon said:

    @dahartigan said:

    @Neoon said:
    Fuck, all the Sex Toys I ordered, all public now. Dang it.

    I noticed that you ordered 30 rubber fists..

  • @MikePT said:

    @hostnoob said:

    Advice: Change your information to something fake

    If they already accessed the data, what's the point?

    and who the hell is giving their national ID (I assume this is SSN/NI number) to gearbest?

    Hi,

    Not actually. These hackers didn't do anything malicious, but since the issue is still not fixed, pretty sure some hackers will take advantage of it, so perhaps there's still some time.

    Ah got you, thanks

  • jsgjsg Member, Resident Benchmarker
    edited March 2019

    When I read something like that I'm always a bit torn. One the one hand, it's of course desirable to learn about companies not giving a damn about their users/customers data and privacy. On the other hand, however, no matter how one white-washes and gloryfies it, that "research" was a criminal act, period. And in more than one sense.

    The rules are simple: you are a white hacker when the target has given permission (or even asked ) to be hacked, usually to find out about their security. Any and every other hacking - like what Noam Rotem did - is not white hacking but criminal.

    Btw. Noam Rotem is not some kind of authority. He is not in any way a big (or even just middle class) shot in the security community.

    Looking at vpnmentor, at some of their "reports" (incl. this one) written anonymously I can't help but to see a lot of shadyness. My guess is that this "report" actually is the- intended - result of a (payed) hit job on a competitor. And of course the hacker calls it "research" and/or "white hat". That means nothing.

    In case you happen to be a customer of the victim, the good news seems to be that you got a warning. The bad news, however, is that it's too late because you are the last one in the feeding line. Before you even get wind (let alone get a report on vpnmentor) all the victims data have gone to the customer behind the hack as well as to some third parties who payed for those data.

  • ArisCArisC Member
    edited March 2019

    The answer I received about the data breach....
    https://imgur.com/a/RfpqQiR

    Thanked by 1MGarbis
  • deankdeank Member, Troll

    Generally, "investigation" means watching tube on the job and make a bogus report later.

    Thanked by 1netomx
  • NeoonNeoon Community Contributor, Veteran

    Well, its the internet, if your data is out there, you be fucked.
    They cannot pull it back.

  • @Neoon said:
    Well, its the internet, if your data is out there, you be fucked.
    They cannot pull it back.

    Like pee in a pool.

    Thanked by 2dahartigan coreflux
  • @Letzien said:

    @Neoon said:
    Well, its the internet, if your data is out there, you be fucked.
    They cannot pull it back.

    Like pee in a pool.

    LOL!

  • NeoonNeoon Community Contributor, Veteran

    @Letzien said:

    @Neoon said:
    Well, its the internet, if your data is out there, you be fucked.
    They cannot pull it back.

    Like pee in a pool.

    No, you can neutralize the piss with chemicals but you cannot scrap off your data from someones hdd.

  • AmitzAmitz Member

    Not even with pee? Damn. That's some serious shit then.

  • @MGarbis

    MGarbis said: Is there a way to delete information from old orders?

    Depends on the number of dildos you have ordered.

  • farsighter said: According to researcher's Twitter page breach has already been fixed

    Neoon said: you can neutralize the piss with chemicals

    All the piss in the pool has been neutralized, please get back to swimming.

    Thanked by 3Letzien uptime bugrakoc
Sign In or Register to comment.