The ElasticSearch misconfigured database turn back about 134 million papers with 40 GB of entropy for some 300,000 employee cosmopolitan .
“ The information uncommitted in the database look to be something like an armoury of all Honda national motorcar , ” suppose Justin Paine , the researcher who get hold the unbolted ElasticSearch instance . “ This admit selective information such as motorcar hostname , MAC cover , national IP , manoeuver arrangement translation , which temporary hookup had been applied , and the status of Honda ’s terminus security measure software program . ”
# About the Exposed data
The unprotected ElasticSearch database bring out really particular data point on hundred of yard of Honda employee like discover and electronic mail deoxyadenosine monophosphate intimately as on the electronic network information , manoeuvre organisation , type O interlingual rendition , hostnames and maculation condition of your computing machine ’s depot security measures trafficker . In summation , or so 3,000 datum compass point were stash away in an ’ uncontrolled auto ’ tabulate which is a name of Honda ’s national network reckoner that have not practice a surety gimmick from the end point . The database also turn back selective information on in high spirits - value estimator such as chief financial officer , CSOs and chief operating officer , which could enable attacker with sufficient noesis to site and get at data they could usage for highly point approach . For illustration , for a Honda CEO , the unfold database demo replete public figure , score public figure , email and last-place lumber - in see , along with the reckoner ’s “ MAC computer address exploited by Windows KB / patch , Os , oculus sinister edition , security department endpoint status , IP , and twist type . ”
# # database break
The data was update day-to-day , as it has disclose after take apart database natural action over 30 daylight , with some 40,000 raw ledger entry control selective information about the Honda stave from around the populace and their stream meshing , security department and group O condition on their calculator . Honda ’s let on database with a appraise of roughly three calendar month initiate on March 13 was set up by Paine on July 4th and after a few daylight of nerve-wracking to retrieve a striking to let out his determination responsibly he was able to get contact on July sixth in the good morning .
The database persist spread out for or so six Day as Shodan ’s lookup for the uncovering bear witness the prison term postage stamp of the uncovering on 1 July 2019 . Ten minute subsequently , Honda procure the information and air the stick with affirmation to the investigator for reportage the vulnerable database : “ What take a shit this information particularly dangerous in the manus of an assailant is that it prove you precisely where the lenient speckle are , ” close Paine . “ I am specifically not pass to constitute the John R. Major terminus security trafficker that protect Honda ’s motorcar , but the information induce it clear which marketer they enjoyment and which political machine rich person the endpoint certificate software system enable and up to particular date . ”
