Millions of Golfers Land In Privacy Hazard After Cloud Misconfig (nbcnews.com) 29
Millions of golfer records from the Game Golf app, including GPS details from courses played, usernames and passwords, and even Facebook login data, were all exposed for anyone with an internet browser to see -- a veritable hole-in-one for a cyberattacker looking to build profiles for potential victims, to be used in follow-on social-engineering attacks. Threatpost reports: Security Discovery researcher Bob Diachenko recently ran across an Elastic database that was not password-protected and thus visible in any browser. Further inspection showed that it belongs to Game Golf, which is a family of apps developed by San Francisco-based Game Your Game Inc. Game Golf comes as a free app, as a paid pro version with coaching tools and also bundled with a wearable. It's a straightforward analyzer for those that like to hit the links -- tracking courses played, GPS data for specific shots, various player stats and so on -- plus there's a messaging and community function, and an optional "caddy" feature. It's popular, too: It has 50,000+ installs on Google Play.
Unfortunately, Game Golf landed its users in a sand trap of privacy concerns by not securing the database: Security Discovery senior security researcher Jeremiah Fowler said that the bucket included all of the aforementioned analyzer information, plus profile data like usernames and hashed passwords, emails, gender, and Facebook IDs and authorization tokens. In all, the exposure consisted of millions of records, including details on "134 million rounds of golf, 4.9 million user notifications and 19.2 million records in a folder called 'activity feed,'" Fowler said. The database also contained network information for the company: IP addresses, ports, pathways and storage info that "cybercriminals could exploit to access deeper into the network," according to Fowler, writing in a post on Tuesday. No word on whether malicious players took a swing at the data, as it were, but the sheer breadth of the information that the app gathers is concerning, Fowler noted.
Unfortunately, Game Golf landed its users in a sand trap of privacy concerns by not securing the database: Security Discovery senior security researcher Jeremiah Fowler said that the bucket included all of the aforementioned analyzer information, plus profile data like usernames and hashed passwords, emails, gender, and Facebook IDs and authorization tokens. In all, the exposure consisted of millions of records, including details on "134 million rounds of golf, 4.9 million user notifications and 19.2 million records in a folder called 'activity feed,'" Fowler said. The database also contained network information for the company: IP addresses, ports, pathways and storage info that "cybercriminals could exploit to access deeper into the network," according to Fowler, writing in a post on Tuesday. No word on whether malicious players took a swing at the data, as it were, but the sheer breadth of the information that the app gathers is concerning, Fowler noted.
Re: (Score:1)
If you want to track data over time from multiple devices and compare stats on social media or store large amounts of data... the cloud is better. This isn't important data, this is golf shit.
"This is golf shit" is the point, isn't it. Why in the hell would anyone want to risk their identity and GPS locations for something as silly as this. Or any other "free" app? As many times as we've see apps like this use poor security to store personal information, why does anyone use them, or think they are free. It's more like you are gambling your personal info against using some silly program. While using the "cloud" for corporate programs makes sense, it's also been shown time after time that even im
Enough with the punnery, Ed.! (Score:2)
Can't dupes and deletions and absolutely horrid headlines be the only way you torture us? Must we also suffer your punnery?
Honestly, you're chipping away at my sanity. It's like you want to drive us insane!
The constant barrage of security lapses is starting to make for nice background hum, so often they happen.
Re: (Score:2)
The constant barrage of security lapses is starting to make for nice background hum, so often they happen.
Considering the default for most utilities and services is to be insecure out of the box with an absence of assumption of auditing or encryption, I've wondered why the media and industry consider them 'lapses' rather than eventualities. Even good security practice plans for breaches as eventualities.
Re: (Score:2)
Considering the default for most utilities and services is to be insecure out of the box with an absence of assumption of auditing or encryption, I've wondered why the media and industry consider them 'lapses' rather than eventualities. Even good security practice plans for breaches as eventualities.
One job ago, at an MSP, we had a client (a fairly hi-proflile client, a name well known in the local community) who kept repeatedly getting ransomware'd despite all our best efforts.. we kept securing their Azure environment, and they kept making RDP accessible to the outside internet. And guess what -- every time they got had, they got had after they'd undone the protections we'd put in. So we'd take a day or two to restore and re-secure the environment and admonish their boss, bill them for all that wor
Quintessential First World Problem (Score:1)
Cloud (Score:2)
Re: (Score:2)
This is for elitist golfers, though.
Surely they'll grant a mulligan.
In golf you keep your own score. I'll bet golf is popular with managers at cloud computer companies.
Re: (Score:2)
I still don't understand why any cloud service would allow you to just open your DB to the internet without asking three or four times whether you REALLY want to do this.
When you build your first data store in the cloud, yo don't yet know how you even want to do security, let alone how your going to manage keys properly, and it's just a test app, no real user data you see, and it's just a proof of concept that the idea of cloud storage works at all.
And the the POC works. And the management says "it's working, move to the next project". And the cries of the engineers saying "but, but, but wer'e not done yet! security! fade into the distance".
But, seriously, IT security sh
Re: (Score:2)
Re: (Score:2)
AWS IAM roles and users can be a real pain to figure out - it's one of the bigger flaws of AWS. At least AWS changed the default for S3 not to be world-readable, but that's a recent change.
For anyone who's done an AWS project before, setting up basic security before you start the actual project is natural. But "cloud" is new enough that "first ever project in the cloud" is still fairly common. I understand how projects get started before team have security figured out - managers want to see progress on
Re: (Score:2)
Re: (Score:2)
Re: (Score:2)
AWS has only recently begun reacting to how hard their service are to ramp up on. All their efforts to make it easier to get started have come out in the past 2-3 years. I know the guys who did this https://aws.amazon.com/lightsa... [amazon.com] and it hadn't even occurred to AWS management until a few years ago to make a simple web app starter kit that sets up reasonable defaults for everything.
Wait.... (Score:2)
Re: (Score:2)
There's millions of people who play golf? Shirley you jest.
Yes, millions do play golf - and stop calling me Shirley.
Re: (Score:2)