A popular online shop in Italy for football accessories, Calcioshop.it, have left its customer details exposed due to an unprotected database.
The open and unprotected Elasticsearch database was identified in early September, by security researcher Bob Diachenko.
Diachenko had discovered that the database contained an overwhelming 408,995 records, which contained the personal details of its customers, including; full names, emails, phone numbers, billing/shipping addresses, tax numbers, order details and IP addresses.
Following the company not responding to Diachenko’s responsible disclosure notice, the researcher got in touch with the Italian CERT.
The database was pulled offline on September 19, nearly two weeks after the initial notification.
Diachenko wrote: “Danger of having exposed Elasticsearch or similar NoSql databases is huge. I have previously reported that the lack of authentication allowed the installation of malware or ransomware on the Elasticsearch servers.”
“The public configuration allows the possibility of cybercriminals to manage the whole system with full administrative privileges. Once the malware is in place criminals could remotely access the server resources and even launch a code execution to steal or completely destroy any saved data the server contains.”
The post #Privacy: An online football accessories shop exposes its customer data appeared first on PrivSec Report.