Unsecured ElasticSearch server at Viec.co, a freelance outsourcing company, exposes the PII of its recruitment workforce

An unsecured ElasticSearch server used by Viec.co a Vietnamese freelance outsourcing company, has lead to the discovery of several security deficiencies that are exposing the PII of it’s ~6000 workforce.
  • Application debug logs exposing the names, emails, addresses of it’s freelance workforce
  • Links to an unsecured Amazon S3 Cloud storage containing links to internal documents and images of it’s workforce’s government issued Photo ID’s
  • Use of unencrypted API endpoints in it’s mobile application

Another day, another unsecured ElasticSearch server, found exposing the Personally Identifying Information (PII) of it's user base. Today's canidate was run by a Vietnamese Freelance outsourceing company Viec.co. Upon analysis of the unsecured data, several api logging records which contained the user profile information, names, addresses, phone numbers and Amazone S3 links to user government issued ID cards were found.

A full list of exposed information / issues:

Unsecured ElasticSearch Server:

  • Worker information:
    • Name
    • Address / region / district / ward
    • Phones
    • Email
    • Gender
    • Birthdate
    • Hourly rate

Unsecured S3 Drive:

  • Goverment Photo ID pictures for approx 2600 individuals
  • Dailiy Operations and Cost reports
  • Mobile Application Notification tokens
  • Worker CV's
  • Copy of worker contracts

Mobile Applicaiton API calls:

  • API calls using HTTP rather than HTTPS

Sample Documents:

Show Comments