What if the user information in the website app database is leaked and tampered with

Shanghai economy 7 It began to recover in January , Some are made in Shanghai APP The clients of the project started a series of marketing promotion and development , Promoted by many channels , Users download and install APP At the same time , Some security vulnerabilities occur frequently , And was targeted by senior hackers , Specific symptoms of data disclosure attacks are ： The user information that the user just registered was leaked , You will receive telemarketing soon , And some users' data has been maliciously tampered , Lead to APP The loss of operation platform is large , For example, the credit limit of some users has been tampered with 20w Limit ,APP The project party found the problem immediately APP The safety emergency response service team has carried out comprehensive safety emergency response services , It is required to find out the cause of the vulnerability problem and trace the source of the attack as soon as possible .

After knowing the above situation , We SINE Safety immediately arranged the technical team to APP The server and database associated with the overall operation and maintenance of the project party 、API Interface server and landing promotion server 、H5 The domain name has been sorted out and collected , And carefully asked the earliest time when such data was stolen, leaked and tampered , As well as the losses caused and the third-party security screening and records of administrator personnel , Through the understanding of the operation and maintenance personnel of this project , It is found that all servers use Linux System , project App The architecture language of is Java+Vue Developed ,API The interface is also used java Developed , And the operation and maintenance personnel inform the programmer , All code modification and debugging should be carried out in the test environment in the formal server , Simply to understand , That is, the code developer is using the server in the project , To debug and modify the code , Through our engineers' manual audit and scanning, we found , The server is open 8099,22,3306,21,80,443,8080 Wait for the port , Looked at the 8099 The port is for GItlab System , This system is used by programmers to modify App Code and synchronization code ,22 The port is used by operation and maintenance technology and developers to log in to the server SSH For port ,3306 It's some Mysql Ports for test database and official database ,21 The port is used by programmers to upload files Ftp Service port ,80 and 443 yes API Interface and App The services used by the project for external user access ,8080 It's programmer debugging app Interface .

Through our early information collection , Some details must not be left behind , A small problem point will lead to loopholes , We tried gitlab Your default account root Project sharing URL , Find out root The shared project includes App Source code , Our technology is immediately packaged and downloaded to our own computer , In-depth analysis of java Some configuration files in the code , It is found that there are some Alibaba cloud oss Of key And key information , We try to use Alibaba cloud oss key And key discovery , The authority of this key is particularly large , You can directly get all the server information under the current Alibaba cloud account , And all Alibaba cloud service management permissions .

At the moment , This vulnerability is too harmful , You can control all servers under Alibaba cloud accounts , Because of this loophole , The symptom that the customer we introduced at the beginning was attacked , Why is the information that the user just registered , It was immediately leaked , The root cause is Alibaba cloud oss key And key leakage , As a result, hackers can directly log in to the server to view the database , And extract the user's mobile phone number, name and ID number from the database in real time to sell to a third party , Third parties use the telephone for marketing promotion , At present, an industrial chain has been formed , For this vulnerability, we asked the customer to confirm whether the server in the above picture is under the customer's account , Confirmed by the operation and maintenance technology of the project party , It is indeed all the servers under their Alibaba cloud accounts , Because operation and maintenance technology may be beneficial to us SINESAFE I don't believe in your technical strength , At the beginning of the penetration test security service, he told us , Know the server IP It is no use , You have to really get the permission of server administrator , With the authorization and permission of the customer , Without affecting the operation of formal business , We use Alibaba cloud's key And key execution SHELL command , And directly enter the server to use root jurisdiction , The discovery database is deployed in 172.18.17.165 Intranet , adopt history Get some historical operation commands of the user , These include Mysql Database account and password , At the beginning , We found that the server was open 3306 port , After we get these database account information , Connect remotely now mysql Check out , It is indeed. App All database contents , The screenshot is as follows ：

At this time, the customer's operation and maintenance technology , After seeing the screenshot we sent , Immediately change your words ： I'm impressed , Real ox , Bukui is a professional website security vulnerability repair service provider , So far, the whole traceability and the problems of the vulnerability have been found , Subsequent customers directly signed a long-term APP Penetration testing services and security reinforcement Services , Through follow-up services , We SINE Security technology has found API There are some ultra vires in the interface , You can view user information beyond your authority , Can lead to APP User information of has been leaked and tampered , For example, the user's amount can also be directly modified to any amount through this interface vulnerability ,APP The message feedback function in still exists XSS Cross Station attack , As a result, hackers can get the backstage session Values and cookie value , You can log into the background directly , There are also some interface instructions , Also directly exposed to the front , Because developers have no security awareness , Casually put some backup files under the root directory of the website , Through some tools , This backup file can be obtained , The file contains a lot of code information , There are too many loopholes like this , If there are friends who encounter such problems, remember to check every detail and function carefully , Any server or website associated with the database or APP We must carefully check vulnerabilities , Because this is the entrance of hacker attack , The more entrances , The greater the probability of success of hacker intrusion , If you really can't make it , If you are confused, you can find a professional website vulnerability repair service provider to deal with the problem of data leakage .