Data Breach - Seva.id Indonesian Vehicle & Property listing company

Darryl Burke |

Note:  Several attempts over the last 3 weeks have been made in order to contact Seva.id or it's parent company AstraDigital across various methods.  To date, there has been no response from Seva.id on the reported issues. An email to Indonesia Computer Emergency Response Team also was sent with no response.

Intro

Seva.id is a Automotive and Property listing company in Indonesia which runs a website for individuals who are looking to rent/buy automobiles or housing. Seva.id has failed to take adaquate measures to protect it's ElasticSearch server, which is logging detailed API calls. Those API calls contain user details including email and clear text passwords.  Over 100,000 user records have been exposed.

Any encountered email with clear-text password has been sent to Have I Been Pwned.

Details

There is nothing too exciting about this one. The typical lapse in following security standards in securing customer data.

During one of my data scans I came across an unsecured ElasticSearch server with 168 indexes containing over  33 million records of APIs calls for the Seva.id website. A subset of those API calls contained a "user login" record which contains the clear-text password suppied by the end user.

Sample Record

{
  "_index": "seva-middleware2019.01.08",
  "_type": "logs",
  "_id": "hrROK2gBzseFugIRCOll",
  "_score": 1,
  "_source": {
    "name": "seva-middleware",
    "hostname": "sevaprod000000E",
    "pid": 19689,
    "listener": "admin-ajax:main",
    "ip": "114.124.242.124, 172.69.135.118",
    "query": "ast_login_user",
    "level": "info",
    "action": "ast_login_user",
    "email": "evalindXXXXXXXXXXX@yahoo.co.id",
    "password": "15XXXXXXXXXXXX",
    "ga_clientId": "619150287.1546861143",
    "v": 0,
    "@timestamp": "2019-01-08T02:31:33.089Z",
    "message": ""
  }
}

After viewing a sample subset of the records, it is estimated that there  are over 100,000 users and password combination records (min 78,000 verified in sample data).

Note to Seva.id Users

If you are Seva.id user I suggest you contact Seva or AstraDigital and demand that they secure thier ElasticSearch Server ASAP!

Show Comments