Real-Time Location of Millions Exposed by Mobile Loan Apps

Image: Daan Mooij

Financial data, personally identifiable information (PII), and real-time location of millions of Chinese users was leaked by an open Elastic cluster hosted on infrastructure owned by Aliyun Computing Co (also known as Alibaba Cloud).

The highly sensitive information was added to the publicly-accessible database by over 100 mobile loan-related apps used by Chinese people when applying for loans.

According to Safety Detectives' Head of Research Anurag Sen, the researcher who initially discovered the data leak, the company who owns the ElasticSearch server is not known even though the leaky database is now unreachable after Alibaba took down the exposed server.

Exposed ElasticSearch cluster
Exposed ElasticSearch cluster

However, as per the researchers' opinion, the leaked data appears to be owned by a Chinese mobile app marketing agency who was storing the huge trove of info on a rented server.

Things including a user’s IP address and duration of a given activity, call logs, SMS exchanges (including content of the SMS), and the various apps installed on the devices are all within the scope of data made available by this leak. This is not only great for marketers to know everything to hyper-target their audience and fine-tune their message, it could also be easily used in either ‘friendly’ government spying or not-so-friendly espionage. - Safety Detectives

Before being secured, the publicly accessible database left data on more than 4.6 million mobile devices out in the open for roughly two weeks, between the time the ElasticSearch cluster was discovered by Sen and the moment it was taken offline by Alibaba, the hosting provider.

As discovered by the researcher, the open database leaked 899 Gb of identity, credit card, banking, device, and real-time GPS location information, as well as loan records and transaction details, risk management data, mobile billing invoices, list of installed apps, app tracking data.

To make things even worse, some of the millions of leaked records also contained the users' passwords encrypted using the decodable MD5 message-digest algorithm.

Leaked data
Leaked data

"There are more than enough details to entirely overtake someone’s identity without any significant effort whatsoever," says the report. "If this data were to be sold on the Dark Web, it could easily be packaged into a ‘deal’ where an individual’s financial, medical, and personal life are up for grabs."

How to secure ElasticSearch clusters

Although Elastic Stack's core security features are now free according to an announcement made by Elastic NV during May, publicly-accessible unsecured ElasticSearch clusters are constantly being discovered by security researchers.

"This means that users can now encrypt network traffic, create and manage users, define roles that protect index and cluster level access, and fully secure Kibana with Spaces" as per ElasticSearch's developers.

Elastisearch servers should ​​​​only be accessible by users on the company's local network to make sure that only the database's owners can access them as ElasticSearch's development team also detailed back in December 2013.

Elastic NV also advises database admins to secure the ElasticSearch stack by "encrypting communications, role-based access control, IP filtering, and auditing," to properly configure the cluster before to deploying it, as well as to configure passwords for their servers' built-in users.

Related Articles:

Wyze Exposes User Data via Unsecured ElasticSearch Cluster

Over 12 million auth secrets and keys leaked on GitHub in 2023

GitHub enables push protection by default to stop secrets leak

INC Ransom threatens to leak 3TB of NHS Scotland stolen data

Finland confirms APT31 hackers behind 2021 parliament breach