According to white-hat hacker Chris Vickery, Mac OS X utility app MacKeeper has dropped the ball by pushing 13 million personal account details onto servers that are fully available to anyone who runs a quick port search on Shodan.io.
As noted by CSO Online, software owners Kromtech claim they’ve now secured the databases and say they will “continue to take every possible step to protect the data of our customers from the evolving cyberthreats that companies both large and small face on a daily basis.” Pretty words, but actions speak louder. How did supposedly secure data end up on a publicly accessible server in the first place?
Dubious History
Do a search for MacKeeper and two major results come up. The first is security-related: In May 2015, MacKeeper faced a zero-day flaw related to its handling of custom URLs. If attackers could convince users to visit an exploit-hosting site, it was possible to leverage the app and run remote code on the victim’s computer.
The other search result? That the jury’s out about MacKeeper’s usefulness — much has been made about its reliance on pop-up ads, and many Apple forums lament the amount of effort required to remove the application from a Mac OS X system.
Now the company is under fire for leaving private data in plain sight, and while Kromtech’s official statement is quick to point out that no payment data was compromised since they process all transactions through a third party, this is small comfort for anyone who had his or her name, username, email address, street address and password hash made publicly available.
Account Details Laid Bare
So what happened, exactly? According to Vickery, he was bored one night and decided to run a random “port:27017” search on Shodan.io. The results were immediately apparent: MacKeeper’s database of account details, available for viewing without any type of security check, firewall or encryption.
While password data was hashed in the database, Vickery notes that the company used the long-outdated MD5 protocol and didn’t salt the passwords, making them easier to guess for a determined hacker. MacKeeper wasn’t alone, either: According to SecurityWeek, Vickery also found that social network Vixlet, video chat app OkHello and online gaming site Slingo also kept user data on fully open and unprotected servers.
After his discovery, Vickery posted his results to Reddit in hopes of getting Kromtech’s attention. He did, and now Kromtech says they’ve fixed the problem. The rest of the messaging is basically an assurance that things weren’t so bad because credit card data wasn’t stolen, but a mea culpa is nowhere to be found.
Beyond MacKeeper itself, there’s a larger issue: the notion that for data to have value, it must be financial in nature. Personal details are worrisome, sure, but at least they’re not financial. Public sentiment is rapidly swinging, however, since consumers expect solid data protection and will quickly gravitate toward businesses with proven track records of data — and database — security.
Bottom line? Hackers are well aware that account details are valuable. Companies that want to stay in business had better get on board and start protecting what they collect and treating personal info like financial gold.