MacKeeper, a suite of software that claims to offer protection for Apple products, has exposed up to 13 million customer records including names, addresses, IP addresses and user credentials.
Kromtech, the German firm behind MacKeeper, has said that it is aware of the flaw uncovered by white hat security researcher Chris Vickery, who revealed that a 21GB trove of sensitive data was easily accessible by using a specialised search engine called Shodan that indexes devices connected to the internet.
Vickery explained in a post on Reddit how he used Shodan to scan open ‘ports’ on the web, specifically focusing on incoming connections on a port that is associated with a database management system known as MongoDB.
“I had never even heard of MacKeeper or Kromtech until last night. I just happened upon it after being bored and doing a random port:27017 search on Shodan,” he said.
Vickery said that he was unable to make contact when he initially attempted to disclose the flaw to Kromtech. However, the firm quickly responded and moved to release a fix after he posted about the problem online.
The data was easily accessible owing to weak encryption, according to the researcher. More specifically, the firm was reportedly using MD5 hashes for passwords which is easily cracked using available tools.
“The data was/is publicly available. No exploits or vulnerabilities involved [in the search]. They published it to the open web with no attempt at protection,” Vickery said.
“If a company configures their database for public access, and it gets downloaded, I’d say it’s the company at fault.”
Vickery added that he found no credit card information but plenty of other information was accessible.
“The general information seems to be stuff like names, email addresses, usernames, password hashes, computer name, IP address, software licence and activation codes, type of hardware and type of subscription,” he said.
The researcher added that he has “no intention” of spreading the leaked data. “I would be hampering any sort of investigation into the matter by regulatory authorities if I were to immediately purge the data. As soon as I’m certain there are no parties that legitimately need to view the data, it will be destroyed,” he said.
MacKeeper has responded by claiming that analysis shows the researcher was the only person to gain access to the data and thanked Vickery for reporting the fault.
“All customer credit card and payment information is processed by a third-party merchant and was never at risk. Billing information is not transmitted or stored on any of our servers,” the firm said in an online statement.
“We do not collect any sensitive personal information of our customers. The only customer information we retain are name, products ordered, licence information, public IP address and user credentials such as product-specific usernames, password hashes for the customer’s web admin account where they can manage subscriptions, support, and product licences.”
Security expert Brian Krebs said he admired the researcher’s “courage and straightforward approach” to reporting the fault.
“His story is a good reminder about the importance of organisations using all of the resources available to them to find instances of public access to sensitive or proprietary data that shouldn’t be public,” he said.
MacKeeper users are urged to change their passwords immediately.