Updated 18.12.2014

Phishing attacks work best when the sender can convince the email recipient that they really are representing the company they claim to be. Providing some genuine information about the user you’re trying to scam – especially if it’s the kind of information that it seems only a company would know – is going to make a phishing attempt a lot more convincing.

phishing

noun
the fraudulent practice of sending emails purporting to be from reputable companies in order to induce individuals to reveal personal information, such as passwords and credit card numbers, online.

I recently came across a worryingly simple way to access some of the personal data for users of Automattic’s services. Automattic provide the popular WordPress blogging platform, along with the widely adopted Akismet anti-spam service. For a company that provides a service for combating some of the more nefarious uses of the web, I’d have expected a little more care with potentially sensitive information.

 

What information?

The user information I found isn’t particularly damaging, but it does make good phishing material. The content I was able to view included:

  • Full name
  • Email address
  • User-specific PayPal information
  • The last 4 digits of a credit card
  • Some of the services that the individual was using
  • Domain names they owned / managed
  • Dates of services and transactions

I was able to access information going back as far as 2006, and there are more than 7,000 possible records.

 

How?

I’m not going to explain how I accessed this information, as I certainly wouldn’t condone using it to perform any kind of phishing attack. But I can clarify that anyone would be able to do this, freely and in any browser. There’s nothing “hacky” going on whatsoever. My grandfather could find this information, if I explained a few simple steps to him. And he still marvels at the concept of an electronic thesaurus.

With a little more technical knowledge, it would be relatively straightforward for an automated script to scrape all of this data into a neat spreadsheet of information. To what end? Why make a fuss about seemingly harmless information? Read on.

 

Why does it matter?

Information like this doesn’t have to be useful on its own. You’re not going to gain access to  a bank account with someone’s name, email, and the last 4 digits of their card. But it’s the kind of simple data – and a convincing point of context – that can help bring a feeling of legitimacy to a phishing email. Imagine this:

“Hello [full name],
Richard from Automattic here. An issue with our billing system means that your payment for [service] with us on [date], [reference number] didn’t clear successfully.
Please follow the link below to complete payment with your [card details].
[phishing link]”

Most people would probably be suspicious to receive something like this, but it’s the kind of email that would potentially convince a less security-conscious recipient to at least click the link. Depending on how convincing the accompanying site was, they may even go on to enter some more personal information before realising their mistake. That’s a successful phishing trip for any spammer.

So even though the information itself isn’t damaging, it’s the kind of data that can make a phishing attack infinitely more convincing to a potential victim. As much as we tell ourselves we’re too savvy to fall for these simple cons, hundreds of people out there still do.

It also shows an alarmingly casual attitude toward user information and data protection. Without going into too much detail about how to find this information, it doesn’t seem like it would be particularly difficult to safeguard from complete strangers.

 

What now, Automattic?

I contacted Automattic with a few tweets to try and draw their attention to the issue. I didn’t volunteer where this information was available, in the hope that they would engage me in a conversation rather than quickly ignoring me and pretending it wasn’t happening. Unfortunately, I’ve received no response.

The idea did occur to me that I could, using this information, email some of the users concerned and point out how I obtained their information. But this seemed like exactly the kind of invasion of privacy that phish-friendly data enables, so I decided against it.

I hope that I can eventually draw Automattic’s attention to a problem that, while it may appear minor on the surface, should be addressed. Perhaps they don’t feel that seemingly trivial data is worth protecting. But this data facilitates the kind of malicious attacks that still claim victims, and that should be enough of a reason to tighten up access with a little more responsibility.

(The data is still available as of 18th December, 2014)

 


Update:

After a few more tweets, and several retweets from other people, Automattic responded. I got in touch via email, explained the issue, and they’d fixed it within 30 minutes. Credit where credit is due, the problem no longer exists.

Simply put, invoices within the Automattic account pages weren’t secure. Each invoice used the same URL with a numeric parameter on the end. Change the number, and you had a different invoice – whether it was yours or not. These invoices contained the personal details I described above.

Finding security flaws like this isn’t something I’ve ever done, and after stumbling across it accidentally I was a bit unsure of how to proceed. Automattic do have a security page. I assumed this was just related to the WordPress platform, but they do also have a HackerOne page (something I’d never heard of before) to encourage the community to submit issues they can fix.

Though I felt Automattic could have jumped on the issue a little quicker from one of my earlier tweets, this may have been a little misguided given the channels they already listen to for bugs and issues. I can see they take these things seriously. Along with finding the security feedback pages, their quick action leaves me reassured.

Thanks, Automattic.