GEARBEST JUST GOT HACKED. 100,000’S OF CUSTOMERS EMAILS, SHIPPING ADDRESSES, IP AND OTHER DETAILS ACCESSED!
Gearbest is a massive online store, primarily specializing in Chinese products. In the Android community, Gearbest is known as one of the easiest ways to purchase devices from Xiaomi and other Chinese brands in the United States. If you’ve purchased something from Gearbest in the past, you might want to start changing your credit cards — the company’s main database was found to be completely unsecured.
VPNMentor’s white hat security team, led by Noam Rotem, published a report about Gearbest’s security. The group found that the site’s main database, as well as the databases of its sister sites (including Zaful, Rosegal, and DressLily), are easily accessible and contain more than 1.5 million records. Some of the accessible information includes emails, account passwords, IP addresses, birthdays, street addresses, payment information, and full names. The team was able to log into two accounts without effort. The exact content of each customer’s orders are also visible. Gearbest’s data management console was also accessible, meaning hackers could easily manipulate information on the site, disable sections of the company’s servers, and even disrupt operations at Gearbest’s warehouses. It’s safe to say that data breaches don’t get much worse than this — it might be a good idea to stay away from Gearbest.
GEARBEST RESPONDS TO THE SECURITY BREACH
Gearbest finally responded to the security breach when their database was hacked. This is the response from Gearbest to Android Police. Original post can be found here.
Immediately upon being aware of this incident, our security experts have initiated an investigation to verify the allegations made by Mr. Noam Rotem. While we found that all our own established databases or servers used for storing or processing Data are protected with all necessary encryption measures and are absolutely safe, some of the external tools we use to temporarily store Data may have been accessed by others and therefore Data security may have been compromised.
The external tools we use are intended to improve efficiency and prevent data overload and the Data will only be stored in such tools for less than 3 calendar days before it is automatically destroyed. Considering possible data security breaches, we protected those tools with powerful firewalls to avoid any such data being compromised by malicious scanning from others. However, our investigation reveals that on March 1st, 2019, such firewalls were mistakenly taken down by one of our security team members for reasons still being under investigation. Such unprotected status has directly exposed those tools for scanning and accessing without further authentication.
Currently, we believe this may have affected our newly registered customers as well as our old customers who placed orders with Gearbest during the time from March 1st 2019 to March 15th, 2019, in a total number of about 280,000. Fortunately, the irregularity has been fixed by us within two hours immediately after detecting it and we will further strengthen our internal security management to avoid such incident from happening again.
We truthfully apologize for what happened. In addition to what we have done mentioned above, we will be urgently carrying out measures to inactivate the passwords of those newly registered customers for avoidance any illegal login to their accounts and will also send email to all affected customers for updating the situation.
FULL REPORT FROM VPNMENTOR ON THE GEARBEST HACK
Below is the full report taken from VPNMentors post, which can be found here.
Led by Noam Rotem, a well-known white hat hacker and activist, VPNMentor’s research team discovered a major security breach in Gearbest. With hundreds of thousands of sales every day, Gearbest is a highly successful Chinese e-commerce company. The site sells a range of electronics and appliances, as well as clothing, accessories, and homeware. While it sells some internationally-known brands like OnePlus, most are smaller Chinese brands. It ships to more than 250 countries and territories across the globe, and ranks in the top 100 websites in almost 30% of these regions. Gearbest has subdomains in 18 languages, generating global appeal. Gearbest is owned by Chinese conglomerate, Globalegrow. The parent company operates several internationally successful sites, including Zaful, Rosegal, and DressLily. In 2015, their sales hit $550 million; 2017 saw the company celebrate a $1.48 billion turnover. The company’s runaway success is a triumph for Gearbest and its sister companies. However, it’s not such great news for the sites’ customers. vpnMentor can exclusively reveal that Gearbest’s database is completely unsecured – as are those belonging to its sister companies.
Gearbest Data Breach
Our hackers could access different parts of Gearbest’s database, including:
- Orders database
Data includes products purchased; shipping address and postcode; customer name; email address; phone number
- Payments and invoices database
Data includes order number; payment type; payment information; email address; name; IP address
- Members database
Data includes name; address; date of birth; phone number; email address; IP address; national ID and passport information; account passwords
We accessed these databases in March 2019, and discovered 1.5+ million records.
Gearbest’s database isn’t just unsecured. It’s also providing potentially malicious agents with a constantly-updated supply of fresh data.
Aside from our ability to access complete sets of personally identifiable information for millions of users, Gearbest’s data breach raises several other very serious issues.
An open database filled with personal information can compromise users’ safety online. The records we saw show full sets of unencrypted data, including email addresses and passwords. (It’s worth noting that some email addresses contained some hashing. We don’t know if this was intentional and should have appeared everywhere, or if some of their data corrupted. Our hackers believe that it was a partially-implemented security measure that is simply not doing its job.) The screenshot below shows snippets from two set of user data we harvested from the database.
We were able to log in to these two Gearbest accounts and operate them as if we were the users. We could view current and past orders, accumulated Gearbest points, and change the account password and details. Hackers could use this information to create “local” damage: by accessing user accounts using their email and password, they can change user orders, manipulate account details, and spend monies from saved payment methods. However, this information could also be used in a far more sinister way. By cross-referencing different databases, hackers could easily steal Gearbest’s customers’ identities. As seen below, the Members database includes this user’s IP address, full postal address, email address, birth date, and, most worryingly, their national identity number.
Depending on the country and requirements, this could be enough information to give hackers access to online government portals, banking apps, health insurance records, and more.
When examining the Payments and Invoices database, we noticed the term “Boleto” appeared multiple times, exclusively in reference to Brazilian orders (Brazil accounts for 9.2% of Gearbest’s global traffic). It refers to Boleto Bancario (literally, “Bank Ticket”), a payment method which is regulated by the Brazilian Federation of Banks. It’s similar to the Oxxo payment system used in Mexico. Oxxo allows users to create a voucher which functions like a debit card: users load the amount of their choosing, and can spend what’s available. Each voucher features a unique bar code; this gives users access to their money.
In the database we accessed, payments made using either of these methods include a URL for “ebanx.” These links show the active vouchers used, complete with their cash amounts. The data also includes Oxxo and Boleto vouchers’ unique barcodes; this information allows hackers to act as users. We could also access customer’s receipts, complete with their banking information.
Order Details: Sex Toy Scandal
The exact content of people’s orders is visible on the Orders database. The exact make, color, size, and cost of each item can all be viewed, along with the user name and shipping address. Compared to other information available across these unprotected databases, this doesn’t seem particularly shocking. However, the content of some people’s orders has proven very revealing – and in some instances, even life-threatening. Hidden in the “Sales” section of Gearbest’s “Apparel” category, users can find a vast array of sex toys. The nature of the store’s open database means the details of your private purchases could quickly become public knowledge.For many adults across the world, purchasing sex toys is not problematic. For example, the orders shown in the image below belong to people in Brazil and Greece.
These countries have very permissive laws regarding sexuality and homosexuality. For context, Brazil hosts the world’s largest Pride parade, and same-sex relationships have been legal in Greece since 1951. While the content of such orders being released could be embarrassing for the buyer, the publication of such information could not result in legal repercussions.
However, this is not the case everywhere. While examining the database, we came across order information for a male Pakistani user.
This customer purchased a silicone dildo; in fact, further inspection of the database shows that he actually bought three. Each purchase includes slightly different information, which is why a street address does not appear in the image above. Pakistan does not enjoy the same liberal attitude to sexuality that many Western countries take for granted. The country’s strict laws stipulate that adultery and pre-marital sex are criminal offensespunishable by imprisonment and fines. The country’s religious laws also allow for death by stoning or corporal punishment. LGBT rights are limited, and the same punishments are applicable. The LGBT community also suffers social stigma, a lack of legal protection, and an Islamized society which precludes acceptance of LGBT people. It’s also worth noting that culturally, it is unlikely that buyer made this purchase for his buyer’s wife.
These laws make our Pakistani shopper a prime example of why Gearbest’s open database is so dangerous. A simple search gave us his full name, email address, street address, and IP address. A more detailed search could probably show us his date of birth and account password, letting us see his previous order information. We’re not malicious and are sharing this (highly censored) information to highlight the dangers of this open database. Others may have very different intentions. In the Pakistani government’s hands, this information could mean a literal death sentence for this user.
How Gearbest is Harming Itself
Gearbest is exposing millions of users’ data. However, the company is also hurting itself. The indices our hackers discovered aren’t just for their user databases. They also included URL access to Gearbest’s – and Globalegrow’s – Kafka system. Kafka is a data management program that helps large corporations control the amount of site data sent through each of their servers. This serves two purposes: it prevents server overload and maintains efficiency, and allows companies to collect big data.
This kind of access allows malicious hackers to manipulate information, reassign database properties, and even disable entire sections of the company’s server. Depending on the function of each server, this could disrupt data collection, order placement, and stock and warehouse management.
We discovered this breach as part of an ethical hacking project. Noam Rotem, a well-known white hat activist and hacker, along with Ran L. and their team, is running a web scanning project which examines IP blocks and system holes for data leaks. They verified the database’s owners by creating, entering, and identifying data. They discovered that Globalegrow’s entire database is unprotected and mostly unencrypted. The company uses an Elasticsearch database, which is ordinarily not designed for URL use. However, we were able to access it via browser and manipulate the URL search criteria into exposing up to 10,000 schemata from a single index at any time. As ethical hackers, we are obliged to reach out to websites when we discover security flaws. This is especially true when a company’s data breach affects so many people – and in Gearbest’s case, this issue impacts hundreds of thousands of people every day. However, these ethics also mean we carry a responsibility to the public. Gearbest shoppers should be aware of the risks they take when using a site that makes no effort to protect its users.
We repeatedly contacted both Gearbest and Globalegrow to inform them of this breach, and to let them when we would be publishing this article. They had several days’ notice. Unfortunately, our repeated attempts to ask these companies to step up and protect their users have been unsuccessful. At the time of publication, we were yet to receive a response.
WHAT SHOULD I DO NEXT?
Well, the bad news is, your personal details including shipping address, emails, invoices and more are already exposed. The good news is, this was an ethical hack, with no malicious intent to share, sell or use your data, and was used more to teach GearBest a lesson on their security.
I would HIGHLY recommend NOT using Gearbest until this issue is resolved at least. And as a temporary measure, change your password incase hackers would like to continue to hack their service, now the public is aware of the vulnerabilities on the website. Some may use this news to take advantage on the database flaws, which means, your data may fall into the wrong hangs, unless GearBest act quickly to improve their security, and protect their users details.