MacKeeper is an anti-virus software for Apple computers that promises to keep users computers secure and running smooth, yet it seems MacKeeper itself has problems with security.
Chris Vickery, a white hat hacker was able to download 13 million customer records in a 21 GB file. Shockingly, this feat didn’t even require any hacking. Vicker stumbled across the security fail while perusing a search engine called Shodan. Shodan searches for anything connected to the internet. Anything connected to the internet that is, that doesn’t require authentication.
hacker who was able to download 13 Million customer records by simply entering a selection of IP addresses, with no username or password required to access the data.
In a Reddit post Vickery explained, “The search engine at Shodan.io had indexed their IPs as running publicly accessible MongoDB instances (as some have already guessed), I had never even heard of MacKeeper or Kromtech until last night. I just happened upon it after being bored and doing a random ‘port:27017’ search on Shodan.”
By doing this, Vickery found the 21 GB worth of data on 13 million customers with a range of information including customer names, email addresses, usernames and password hashes, mobile phone numbers, IP addresses, system information, software licenses, and activation codes. The passwords were encrypted, however Vickery believes that this encryption would be relatively easy to crack by anyone using MD5 cracking tools.
MacKeeper’s reply shouldn’t leave users with a good feeling. “Analysis of our data storage system shows only one individual gained access performed by the security researcher himself,” Kromtech, the maker of MacKeeper, said in a statement. “We have been in communication with Chris, and he has not shared or used the data inappropriately.”
We have seen numerous data breaches from Apple products in the last few years, and it is understandable that Apple users would be looking at third party solutions to protect them. One must wonder though, How can a company who promises to protect users systems, not even take the time to protect their information?
Source: The Hacker News