OS X utility MacKeeper hacked: 21GB data of 13 million account details exposed
Chris Vickery, a white hacker on Sunday announced on Reddit that by using a simple Shodan query, he was able to access “13 million sensitive account details” on MacKeeper that includes names, email addresses, usernames, password hashes, IP addresses, phone numbers, and system information. Owned by Kromtech, MacKeeper is a suite of performance and security utilities for Mac OS X.
According to Vickery (who goes by the screen name FoundTheStuff) on Reddit, “The data was/is publicly available. No exploits or vulnerabilities involved. [Zeobit and Kromtech] published it to the open web with no attempt at protection.” Vickery found the vulnerability by doing a random “port:27017” search on Shodan.io. He was able to download 13 Million customer records by simply entering a selection of IP addresses, with no username or password required to access the data.
Shodan is a search engine created for the purpose of finding servers, routers, network devices and more that sit online. Be it researchers or hackers can filter searches to find specific equipment by manufacturer, function and even where they are located geographically.
Vickery said he found four IP addresses leaking the data.
“The search engine at Shodan.io had indexed their IPs as running publicly accessible MongoDB instances (as some have already guessed),” Vickery said. “I had never even heard of MacKeeper or Kromtech until last night. I just happened upon it after being bored and doing a random “port:27017? search on Shodan.”
Even though the passwords were encrypted, Vickery believes that MacKeeper was using weak MD5 hashes to protect its customer passwords, allowing anyone to crack the passwords in seconds using MD5 cracking tools.
After Vickery posted the issue on Reddit, the company responded saying that had no evidence that the data was accessed by malicious parties.
Kromtech did reply with a statement that it has taken steps to close the database off from the open Internet.
“We fixed this error within hours of the discovery. Analysis of our data storage system shows only one individual gained access performed by the security researcher himself,” Kromtech said in its statement. “We have been in communication with Chris and he has not shared or used the data inappropriately.”
Also, a post on the MacKeeper website states that the company “will continue to take every possible step to protect the data of our customers from the evolving cyber threats that companies both large and small face on a daily basis.” The statement also said that since MacKeeper uses a third-party merchant for payment card data, and the details was not on the same database, nor is it stored on its servers. Hence, customer credit card and payment information was “never at risk.”
This isn’t the first time MacKeeper has been in the news for a security issue. In May, the company had patched a zero-day remote code execution vulnerability due to the flaw in MacKeeper’s handling of custom URLs. An attacker who could trick a user into visiting a site hosting an exploit could ultimately run code on the vulnerable computer. That vulnerability was fixed with a software update.