Pierluigi Paganini
March 19, 2023
On February 7, the Cybernews research team discovered a misconfiguration on the Lowe’s Market website. The supermarket chain’s website was leaking a treasure trove of private credentials, which left the company vulnerable to potential attacks by cybercriminals.
Together, the compromised credentials could enable an unscrupulous hacker to gain control of most of the online store’s functionality, see sensitive customer information, and abuse access to paid services, all while putting Lowe’s Market customers at risk.
With almost 150 locations, the Lowe’s chain primarily operates stores in Texas, New Mexico, Colorado, Arizona, and Kansas.
At the time of writing, the company has already fixed the issue. Cybernews reached out to Lowe’s Market regarding the details of the misconfiguration and the possible duration of data exposure. However, the company has yet to provide a response to the inquiry.
Access to databases
Researchers found a publicly accessible environment file (.env) hosted on the Lowe’s Market website. Public access to the file posed a risk to the security of the company’s systems, as it was leaking sensitive data and numerous credentials.
An examination of the environment file suggests that the developers were not following the best practices, while poor security configurations might have led to more secrets, an industry term for vital data that should be kept private, being exposed.
The leaked secrets could have allowed threat actors to access databases as the hosts, usernames, and ports of main, tracking, legacy, recipe, and redis.io databases were exposed.
Database hosts and credentials are considered sensitive information, as they are used to access respective databases and their contents. In the case of Lowe’s Market, most database hosts are internet-connected, making it particularly easy for threat actors to access them.
Due to legal reasons, it is impossible to check the contents of the databases, but the titles suggest that some of them contained information about products, such as recipes, while others could have contained customer usage data.
At least one of the databases likely contained user information, as the company has limited support for online grocery purchases. One of the titles in the legacy database contained the word “billing,” leading researchers to assume that it may have contained private user data.
The environment file also revealed the access key to Amazon Web Services (AWS) S3 server and bucket name. This information could have been used to log in and access the bucket and its contents and modify or delete existing data.
While the AWS S3 bucket could have stored sensitive information, based on its name, researchers assume it stored only website-related assets.
“The bucket most likely only stored images used by the site and similar, non-sensitive assets,” said Cybernews researcher Aras Nazarovas.
“It is possible that it contained sensitive information as well, as we saw some cases like that, but there is no way to know in this particular case.”
A treasure trove of keys uncovered
The .env file contained numerous application programming interface (API) keys dedicated to a specific website’s functionality. Malicious actors could have used the leaked API keys and credentials to steal user information, change product pricing, and hijack most of the store’s functionality.
One of these leaked keys, GrocerKey API, allowed access to partial credit card information, addresses, and top-spending users, as well as the ability to send unsolicited orders, issue refunds, launch ad campaigns, reset passwords, and check in-store and in-app balances.
The REST API key that enables querying user information was also leaked, and this could have allowed a threat actor to use it along with GrocerKey API to make unauthorized online purchases.
Some other leaked keys could have enabled threat actors to use the company’s official communication channels to send malicious messages across various platforms.
For instance, cybercriminals could have used the leaked Campaign Monitor, Pushwoosh, Loyalty Lane, and Postmark API keys to send emails, application notifications, and SMS messages to Lowe’s Market users. In addition, the threat actor could have used leaked Inmar API keys and credentials to produce custom coupons with significant discounts.
Finally, the exposed Geocoder API key could have allowed a threat actor to gain access to the company’s Google Maps API. A malicious actor could thus exploit the key to use this access for personal gain, resulting in increased usage and, subsequently, higher bills that the company would be responsible for paying.
This is because each request sent through the Geocoder API to Google Maps would be charged to the company as the legal owner of that account.
“No sensitive information can be obtained, the only possible misuse would be to send requests through the API, or flooding the API with requests to a point where the account would be rate-limited, affecting the website’s ability to display maps,” said Nazarovas.
Takeover of Facebook app
Along with the API keys, the environment file also exposed Facebook OAuth credentials and Github OAuth tokens.
Using the leaked Facebook app ID and secret key, the attacker could have requested sensitive user data from Facebook or taken over Lowe’s Market’s Facebook application, with serious consequences for user privacy and security.
Leaking such sensitive information as the GitHub OAuth token could have been dangerous as it can provide unauthorized access to a user’s Github account and the repositories it contains.
According to CyberNews more grocery stores might be affected, if you want to learn more give a loot at the original post at:
https://cybernews.com/security/lowes-market-data-leak/
About the author: Paulina Okunytė, Journalist at CyberNews
Follow me on Twitter: @securityaffairs and Facebook and Mastodon
(SecurityAffairs – hacking, Lowe’s Market)
