Who doesn’t love online events?

Whether it be a webinar, informal talk or roundtable discussion, online events are a great way of learning from industry experts in the comfort of your home or office.

We should know; we put on our own cyber focused live stream events on LinkedIn all the time.

But no, as much as I’d like it to be, this blog isn’t about us or our wonderful and informative events you should definitely check out here.

This is about the information that can be stolen just from you clicking that little ’attend’ button.

EventBuilder’s Security Flaw

We really leave our data everywhere, don’t we?

And when something comes around like this, we only further realise how our data is never really ours.

EventBuilder is an event management application that allows organisations to create these live events, usually on Skype for Business or Microsoft Teams.

It contributes registration pages, cloud recording, security and reporting, effectively sorting out all the logistics of the event so that the people running it can just focus on the content.

The integrated functionality it provides to users, such as pre-registration and attendee only content, makes it an attractive and useful tool in running these live events.

But they found a flaw.

And lucky they did before it could be taken advantage of.

Hundreds of thousands of files were discovered to have been left potentially exposed by the Grayhat Warfare search engine.

The investigation, conducted by the Clario research centre, highlighted the thousands of CSV/JSON files that had been left endangered, waiting to become a hacker’s birthday present.

But left endangered how?

Well, as with a lot of data vulnerabilities, the exposure came from the storage system.

The information gathered by EventBuilder was stored on Microsoft Azure Blob, which is optimised to store huge amounts of unstructured data.

In the case of EventBuilder, the storage was supposed to be partially public, to allow for their host recorded streams with access only through a link.

But what the organisers of the many webinars that went through them were doing was actually putting the information for every registrant into the blob.

A big mistake.

This is why Grayhat Warfare, a public bucket searcher, was able to index the information, thus exposing the hordes of files to being potentially accessed by hackers all over the world.

These files contained registrants’ details for Microsoft events, including full names, email addresses, their company name and position in the company, phone numbers and questionnaires answered.

And like I said before, this is potentially hundreds of thousands of registrants.

That much information in just one hacker’s hands is dangerous.

But in the hands of hundreds... thousands, even...

It doesn’t bear thinking about.

The Potential Outcome of a Bad Mistake

What can a hacker do when they know everything about you?

Well, for a start, it doesn’t have to be you they’re really targeting.

If they know where you work and they know your work email address, couldn’t that open it up to countless phishing attempts?

They might have your phone number too, have you clicked on anything recently?

Is your phone now corrupted?

They even know your answers from various questionnaires you’ve filled in.

It’s not out of the realm of possibility at all for them to trick you by posing as the people who created the quiz and saying "click this link for your results" or "here’s another quiz you might like"

And the crazy thing is, their tactics only get more and more believable.

Receiving an email purporting to be from a boss or coworker can be difficult to spot, especially when the language isn’t the classicly misspelt and borderline unreadable garbage some phishing attacks use.

This was a preventable exposure of data, of course it was.

The proper access rules have to be implemented and only authorised individuals can obtain the sensitive information.

Oh, and if authentication isn’t required for the system, don’t leave it open to the internet.

Who thought that was a good idea?

A Word From Westpoint

If you’re looking for a cyber expert to help you with your cyber security programme, get in touch with us at info@westpointcyber.io

Or if you’re a cyber expert yourself and looking for a new role, contact us at jobs@westpointcyber.io

In the meantime, join us in the Cyber Lounge group on LinkedIn.

A group for cyber experts, by cyber experts.