Cryptocurrency Leaks Personal Information for Thousands of Investors
On Mar 30, researchers at Kromtech Security identified a database open to the public containing full names, addresses, email addresses, encrypted passwords, wallet information, along with links to scanned passports, driver's licenses, and other IDs for over 25,000 investors of the newly created Bezop. The information was found within a MongoDB database without any security.
John Mcafee, an adviser on the board for Bezop, described Bezop as “a distributed version of Amazon.com” in a recent Twitter post. It is that, but it's also a cryptocurrency. Bezop is adding, and has in fact already added, it's own cryptocurrency, which they call “Bezop tokens”, into the stream of transactions.
The transaction and cryptocurrency side of Bezop is built around the Ethereum, an open blockchain technology that enables developers to more easily design distributed systems to manage transactions and create their own cryptocurrency. The front end store side of Bezop's system is reportedly based upon HTML5, React JS, Node Js, and MongoDb.
Bezop, on the store side, is focusing on making it very easy to set up a store. On the blockchain side they promise smooth and secure transactions for those selling commodities, with less risk of fraud for the seller. They will also be adding more of their own cryptocurrency into the market by allowing those using their service to “mine” their own new Bezop Tokens based upon their sales, a bounty type of program for incentive.
Around the time of their ICO, which finished January 10, 2018. Bezop launched their first bounty program, in which people would earn Bezop Tokens in exchange for promoting Bezop via online social media sites like Facebook, posting to forums while using an approved Bezop signature on sites such as bitcointalk, moderation of forums, or by writing articles about Bezop.
One of the tables in the publicly open database was named “Bounty”, so it appears that the database left unprotected may contain the information for the people who invested and participated in this part of the program.
It does not seem to be a very good start for a company such as this to place personal information of anyone on the Internet and open to the public, especially it's early investors. In fact, it's a little difficult to grasp how it could happen, even if by mistake. Given the changes to MongoDB, it would have to have been deliberately configured to be public, a configuration which should not even be risked internally.
Making your investor's personal information public is obviously not a good practice and a huge mistake to make. We hope that they ensure that their new product, which uses MongoDB as part of it's design, and any future bounty programs using the same, will be configured far more securely than this MongoDB instance turned out to be. Ease of use should never be placed above security, even during the development cycle.
At the time of this report, Bezop has been notified and have made no comment, but they have secured the database.
In our previous research we have learned that it takes about 3 hours for a misconfigured MongoDB server to be compromised.
Attention - Portions of this article may be used for publication if properly referenced and credit is given to Kromtech Security Center.
Do you have security tips or suggestions? Contact: firstname.lastname@example.org