Thousands of people Blind, an "anonymous social network" based on applications, as a safe way to detect irregularities, irregularities, and inappropriate behavior In their companies.
Blind left one of the database servers uncovered without a password for more than a month, allowing anyone who knew where he was looking to access each user's account information and identify potential informants.
The company, founded in South Korea, entered the United States in 2015, quickly becoming a very popular social network for major technology companies, promoting employees from Apple, Facebook, Google, Microsoft, Twitter, Uber and more. Last Month Guaranteed Another $ 10 million In new funding after an increase of $ 6 million in 2017. But that was only when the social network became the root of many outstanding scandals when Blind gained widespread interest, including the disclosure of allegations of sexual harassment in Ober- Block the application On the company's network.
The uncovered server was found by a security interrogator, Musab H, who informed the company about the security hoax. The security researcher found one of the Kibana information boards of the BackSearch background database, which contained several tables, including private messaging and web-based content, for both US and Korean websites. Blind said that exposure only affects users who signed in or logged in between November 1 and December 19, and that the exposure relates to "one server, one of many servers in our platform," said Blind Executive Director Kim Kim in Mail Electronic.
Drag the blind database just after TechCrunch followed up with an email a week later. The company started sending an email to its users on Thursday after we asked for a comment.
"When developing an internal tool to improve our services to our users, we became aware of the error that displayed user data," said the email to affected users.
Kim said there was no "evidence" that the database was mixed or misused, but did not say how it came to that conclusion. When asked, the company will not say whether it will notify regulators in the United States of penetration.
Blind Sunguk Moon CEO, who has copied many e-mails with TechCrunch, did not comment or acknowledge the exposure.
In essence, the application and the anonymous social network allow users to subscribe by using the company's email address, which is said to be associated only with the blind member's identity. Email addresses are used "for verification only" to allow users to talk to other anonymous people in their company, and the company claims that e-mail addresses are not stored on their servers.
But after reviewing part of the exposed data, some of the company's claims do not stand.
We've found that the database has provided a real-time stream of user logins, user shares, comments, and other interactions, allowing anyone to read private comments and posts. The database also revealed unencrypted private messages between members rather than their associated email addresses. (Due to the sensitivity of the data and the privacy of severely affected users, we do not publish data, screenshots or user content).
Blind claims On their website That his e-mail verification is "secure, where the patented infrastructure has been set up so that all user and activity account information is completely separated from the email verification process." "This effectively means that there is no way to blindly track your activity to an email address, because we can not do it." Blind claims that the database "does not display any email address assignment to nicknames," but we found streams for mailing addresses Mail of members who have not yet been published. In our brief review, we did not find any content, such as comments or messages, associated with e-mail addresses, just a unique member ID, which could identify a user to be published in the future.
However, many records contain normal e-mail addresses. When other records did not store an e-mail address, the record contained the user's e-mail as an unknown encrypted segment – which may be deconstructible to the blind, but not to anyone else.
The database also contains passwords stored as MD5 fragments, an old-time algorithm that is porous at present. Many passwords have been easily decrypted using tools that are readily available when we try. Kim denied this. "We do not use MD5 for our passwords to store," he said. "The MD5 keys are a record and do not represent the way we manage data." We use more advanced methods such as salted fragmentation and SHA2 to secure user data in our database. "(Signing in with an unassigned email address and password may be illegal, So we can not verify this claim.) This could pose a risk to employees who use the same password on the app while signing in to their corporate accounts.
Despite the company's obvious efforts to separate e-mail addresses from its platform, the database login logs have also stored access codes for the user account – the same kind of recently created token Microsoft And Facebook Accounts at risk. If you take the malicious actor and use a special token, he can sign in with that user's name – effectively removing any identity concealment he might have from the database in the first place.
In addition to application intent, database exposure puts users – who trust the app in maintaining the security of their anonymized information and identities – at risk.
These are not only users, but also employees of some of the largest companies in the Silicon Valley, who disseminate information about sexual harassment in the workplace and discuss job offers and culture in the workplace. Many of those who signed up last month include senior executives at major technology companies but do not realize that their e-mail address – which they specify – can sit in plain text in an open database. Some users have sent anonymous private messages in some cases made serious allegations against their colleagues or managers, while others have expressed concern that their employers were watching their email messages for private email messages in Blind.
However, it is likely that many have survived that the application they used – often for relief, sympathy, or as a way of detecting irregularities – was completely unencrypted and accessible not only by application staff but also For some time anyone on the Internet.
Got a tip? You can safely send hints through Signal and WhatsApp to +1 646-755-8849. You can also send PGP email with fingerprint: 4D0E 92F2 E36A EC51 DAAE 5D97 CB8C 15FA EB6C EEA5.