Here in Woesnotgone Meadow, we are online quite frequently. One headache the residents have dealt with has been with passwords. Some of our residents have found it difficult to remember all the passwords they have for the different sites. Most of the residents have begun using a password manager. Margie from the library recommended using a password manager. Generally these managers work fine. This was not the case, however, with Blur.
Abine is the corporate entity behind Blur, a password manager, and DeleteMe, an online privacy protection service. Abine functions to encrypt the user’s passwords used with Blur. Blur’s service is to improve the user’s privacy with its secure password management service.
There was a rather significant compromise recently. This was not actually an attack, but more of a case of negligence. A reasonably prudent person would secure the cloud platform where the data was located. If the person was not exactly secure on how to do this, they would then research this or hire a party to do this. After all, the company is the steward of the data and is responsible for it.
This did not exactly happen here. An Amazon S3 storage bucket contained the subject file. This was unfortunately misconfigured. On December 13, 2018 the business was notified by a security researcher there was an issue. The business had no idea. A server was accessible and exposed a file with sensitive client information. The business, post-notification, did examine this, as you would expect instead of just taking the word of a researcher, and found the assertion was correct. This was announced on their business blog.
Of all the potential companies to have an insecure file open and accessible, this was the one. This should not have been misconfigured and insecure, given what the company focused on.
In this specific instance, there were 2.4M Blur users affected. The affected users were the ones who registered prior to January 6, 2018. The user data was left exposed and accessible. This included the user’s email address, a portion of the user’s first and left name, the user’s password hints, the user’s last two IP addresses used to login for the Blur app, and the user’s encrypted password. In this case, no DeleteMe user data was involved.
As noted, this was not exactly an attack. The data was openly exposed and accessible, however, there was no direct evidence the data was exfiltrated.
This was another example of a misconfigured AWS bucket which was not configured correctly. There may have been a time issue, or other factors involved. One of the managers should have actually reviewed this, and not just checked the box.
Abrams, L. (2019, January 2). Abine blur password manager user data exposed online. Retrieved from https://www.bleepingcomputer.com/news/security/abine-blur-password-manager-user-data-exposed-online/
Cimpanu, C. (2019, January 2). Data of 2.4 million blur password manager users left exposed online. Retrieved from https://www.zdnet.com/article/data-of-2-4-million-blur-password-manager-users-left-exposed-online/
Smith, A. (2019, January 2). Data on 2.4M gbine blur user’s ‘potentially exposed’. Retrieved from https://www.pcmag.com/news/365672/blur-users-personal-details-potentially-exposed
Waqas. (2019, January 3). Abine blur password manager exposed data of 2.4M users. Retrieved from https://www.hackread.com/abine-clur-password-manager-exposed-data-of-users/
About the Author - Charles Parker, II has been working in the info sec field for over a decade, performing pen tests, vulnerability assessments, consulting with small- to medium-sized businesses to mitigate and remediate their issues, and preparing IT and info sec policies and procedures. Mr. Parker’s background includes work in the banking, medical, automotive, and staffing industries.
Share on Facebook
Share on Twitter
I'm busy working on my blog posts. Watch this space!