Become a fan of Slashdot on Facebook

 



Forgot your password?
typodupeerror
×
Security Network Privacy The Internet

Education and Science Giant Elsevier Left Users' Passwords Exposed Online (vice.com) 43

The world's largest scientific publisher, Elsevier, left a server open to the public internet, exposing user email addresses and passwords. "The impacted users include people from universities and educational institutions from across the world," reports Motherboard. "It's not entirely clear how long the server was exposed or how many accounts were impacted, but it provided a rolling list of passwords as well as password reset links when a user requested to change their login credentials." From the report: "Most users are .edu [educational institute] accounts, either students or teachers," Mossab Hussein, chief security officer at cybersecurity company SpiderSilk who found the issue, told Motherboard in an online chat. "They could be using the same password for their emails, iCloud, etc." Motherboard verified the data exposure by asking Hussein to reset his own password to a specific phrase provided by Motherboard before hand. A few minutes later, the plain text password appeared on the exposed server. Elsevier secured the server after Motherboard approached the company for comment. Hussein also provided Elsevier with details of the security issue.

An Elsevier spokesperson told Motherboard in an emailed statement that "The issue has been remedied. We are still investigating how this happened, but it appears that a server was misconfigured due to human error. We have no indication that any data on the server has been misused. As a precautionary measure, we will also be informing our data protection authority, providing notice to individuals and taking appropriate steps to reset accounts."

This discussion has been archived. No new comments can be posted.

Education and Science Giant Elsevier Left Users' Passwords Exposed Online

Comments Filter:
  • They suck!

  • by drinkypoo ( 153816 ) <drink@hyperlogos.org> on Monday March 18, 2019 @06:09PM (#58295298) Homepage Journal

    "Education and Science Giant"? You fucking whores. Try MASSIVE PURVEYOR OF SCIENTIFIC FRAUD [slashdot.org] next time, if you can find your spine and get it working.

  • by blahbooboo ( 839709 ) on Monday March 18, 2019 @06:20PM (#58295344)

    How can any company STILL not be hashing their user's passwords?

    • Came here to say the same thing. Why would anyone store passwords???? Isn't that just too well known that you store hashes?

      Is there some common CMS that does it that way or something?

      • they probably just store it all in Oracle or mysql.

        • by ls671 ( 1122017 )

          they probably just store it all in Oracle or mysql.

          That's what I do most of the time and it doesn't prevent me from hashing and salting so I am not sure that I understand your point.

          • I thought LinkedIn was unbelievably negligent when they were not using salt. But Elsevier doesn't even hash?!?! What is this, 1980?

    • by k2r ( 255754 )

      IIRC I’ve seen passwords in transcripts of HTTP authentication logged into a big retailers Splunk. It was fixed days after mentioning it.
      I guess this was similar with Elsevier‘s Kibana, with the addition of no “user accounts” and “publicly accessible”

      I prefer the password management of sci-hub,

    • Because some manager saved the company some money by having his high school nephew who's "really good at computers" write the password authentication program, instead of hiring a real programmer.
    • by ceoyoyo ( 59147 )

      Because getting hacked works like it does on TV... some kid in a hoodie types really fast, and there's nothing you can do unless you have another kid in a hoodie to type back.

      Hashing passwords? Is that some kind of drug thing?

  • ...that manages authentication and privacy information on their servers without knowing: a. they are using up-to-date software b. that they are actually deploying it correctly c. that they don't just go with the default settings It's akin to trusting an electronic voting system with proprietary code that you can't examine. And 3rd party audit of security practices is a joke.
    • lolz you're talking about a place that stores passwords in plain text, they're morons. forget about your advanced concepts being something actionable by them.

  • by Anonymous Coward on Monday March 18, 2019 @07:08PM (#58295518)

    It's not science at all, is a giant peddler of stolen goods that made a monopoly from public research.

  • This sounds like a mecca of open and free scientific documents.

  • by Anonymous Coward

    Well at least they tried open science for a while. How do we get them to do that permanently?

  • Library Genesis don't need passwords, so not really possible to "expose" them.

  • by jonwil ( 467024 ) on Monday March 18, 2019 @10:45PM (#58296212)

    Its 2019, why would anyone even be storing passwords in plaintext (or reversible encryption) instead of using password hashes?

  • by astrofurter ( 5464356 ) on Tuesday March 19, 2019 @12:59AM (#58296526)

    From TFA: "The data itself was displayed via Kibana, a popular tool for visualizing and sorting data."

    So this is yet another case of an unsecured ELK (Elasticsearch, Logstash, and Kibana) cluster sitting wide open on the public internet. Most likely an AWS managed ES cluster - which have lately become notorious for their terrible security. Terrible because AWS refuses to give a dime to the company that wrote the software and therefore gets no cooperation from them, yet is also too cheap to implement their own security layer.

    I've been a reasonably satisfied user of AWS for many years. But I do not hesitate to call the AWS managed Elasticsearch offering a security nightmare. And a social affront to the open source community.

    My company recently switched from AWS ES (with a home-rolled security layer) to Elastic Co's managed ES service. Dealing with Elastic's enterprise-y salescreatures is a real pain. But their managed ES service is simultaneously much better and (in some configurations) slightly cheaper than the AWS offering.

    • There is absolutely zero reason to have any database on the open internet. "nmap $hostname$" today, make sure your IPs are not exposing things they shouldn't.
      • In AWS ES default configuration, any IP that can reach Kibana - the web UI often used by business analysts to explore the data - also has access to ES on its JSON/HTTP API.

        That's why AWS ES clusters are so often left wide open. So the business users can access Kibana from wherever. They hope for security by obscurity. No one outside the company knows the URL, so it's "secure".

        By itself, AWS ES does not offer any reasonable way to grant access to Kibana without also granting access to ES API. And it provides

        • This defect can be mitigated with a proxy that provides authentication and URL filtering.

          I strongly suggest setting up a VPN, there are several free packages and it shouldn't take more than a day to set up.

  • there, it says it all

In the long run, every program becomes rococco, and then rubble. -- Alan Perlis

Working...