Data Exposure Alert: Douzone South Korea / BizBox Alpha
Exposure Alert:
During the development of an MQTT auditing tool, I have come across a mis-use/mis-configuration issue with the BizBox Alpha software which is developed and sold by Douzone (Duzon) of South Korean. On Dec 20th 2018, the exposure notice, and details were sent to Douzone in order to have the problem addressed.
Details:
Douzone according to their website is:
a leading company in information technology, has been contributing to enhancement of customer's competitiveness as Korea's leading ICT company providing various solutions and services required for informationization .
Douzon is not only the accounting program but also the market leader in enterprise information software such as ERP, IFRS solution, groupware, information protection and electronic tax bill.
Douzone develops a mobile groupware / document / email management system called BizBox Alpha which uses MQTT to communicate with its iOS and Android clients. And is used by over 3,000 companies in various industries.
Based on the exposure of emails from the Douzone clients, to other 3rd parties, the number of affects companies and individuals is vastly larger.
Some of those companies include:
- Beyond Service, GOLFZON
- CIS
- Handok Clean Tech
- Korean Liquor Industry
- MXN
- Yeongdeungpo Cultural Foundation
- Enertec
- Hyune Aerospace (Including Military contracts)
MQTT Misconfiguration:
The BizBox Alpha software is mis-used/mis-configured and allow anyone on the internet to connect with a client and subscribe to the "#" (Multi-Level wildcard) topic. This will send a copy of every message the server processes to the subscribed client.
Email and Chat exposure
Two main features of the BizBox Alpha software is the ability to notify the mobile clients of received emails and chat messages with a "snippet" of the content. That content is being exposed to any client who subscribes to the "#" topic. Samples of messages include:
{
"eventType": "MAIL",
"title": {
"kr": "[메일] RE: Hyune Pending Termination claims"
},
"content": {
"kr": "linh.t.shandy@spiritaero.com<linh.t.shandy@spiritaero.com>"
},
"data": {
"content": "Dear Mr. Huh, Rahul has forwarded the attached claims to me. I am forwarding the claims to our execution team to review and validate. I just wanted to let you know that we’re working these claims and will update you as soon as",
"fileId": "1545067816649_172.17.0.1.eml",
"title": "RE: Hyune Pending Termination claims",
"recvList": [{
"boxSeq": 1171,
"empName": "허범",
"paramStr": "muid|email",
"email": "bh@hyune.co.kr",
}],
"timeStamp": 1545067820043,
"sendName": "Shandy, Linh T",
"sendEmail": "linh.t.shandy@spiritaero.com",
},
"url": "http://gwa.hyune.co.kr:80/mail2/readMailPopApi.do?{0}&{1}"
}