Your privacy and security is a top priority for the company behind MacKeeper; at least that’s what Kromtech claimed after 13 million user account credentials leaked from an unsecured database.
Chris Vickery, who works as an IT helpdesk tech and as a security researcher when not at work, took to Reddit to warn that he had downloaded “over 13 million sensitive account details related to MacKeeper, Zeobit, and/or Kromtech;” he posted screenshot proof on Imgur.
There are several ironies in Vickery’s discovery as he “had never even heard of MacKeeper or Kromtech” until after he used Shodan to search for TCP port 27017. He told Krebs on Security, “The funny thing is, I don’t even own a Mac.” He added, “I didn’t know it was some sort of scamming scareware or software that pushes itself on people. The irony here is pretty thick.”
Yet Vickery’s simple Shodan search led to an exposed MongoDB database that turned up a 21.2 GB file which contained 13 million user account credentials. The file included “names, email addresses, usernames, password hashes, phone numbers, IP addresses, system information, as well as software licenses and activation codes,” he told Forbes. Furthermore, MacKeeper was using MD5 hashes for passwords; it’s trivial for a MD5 cracking tool to break such a weak and outdated encryption algorithm and Kromtech had not added salt to the password hash.
After Vickery had Kromtech’s attention, the company posted a MacKeeper security advisory which said the “error was fixed within hours of discovery.” There are plenty of the regular claims made after a breach, when a company tries to assure users that their privacy and security is of the utmost importance. Kromtech said, “Our customer's private information and data protection is our highest priority.” That might sound a bit hollow after MacKeeper’s MongoDB was misconfigured and the “security” software’s passwords were poorly protected.
Vickery found the info with a simple search; there was no hacking involved and anyone who ran the search could have found it. The data wasn’t even protected by a password. Maybe others have found it, but chose to exploit it instead of report it? Kromtech claimed, “Analysis of our data storage system shows only one individual gained access performed by the security researcher himself.”
Back in May, MacKeeper made headlines after a zero-day for a critical remote code execution vulnerability was discovered and then patched via the release of a newer version. There are posts all over the web warning MacKeeper is a “scam” or “scareware;” in fact a post on an Apple forum advises not to install the software, as it “has been described by various sources as highly invasive malware that can de-stabilize your operating system.”
Maybe MacKeeper users are supposed to feel better about the latest blunder – the 13 million user credentials exposed – by learning that credit card and payment information was not at risk since it was handled by a third party. The security advisory said the “only” information MacKeeper stored – and was discovered by Vickery – are “name, products ordered, license information, public IP address and their user credentials such as product specific usernames, password hashes for the customer's web admin account where they can manage subscriptions, support, and product licenses.”
MacKeeper, which theoretically optimizes Macs and protects the machines from malware and viruses, was released in 2010 and then acquired by Kromtech from ZeoBit in 2013. It is infamous in regards to its aggressive popup advertisements that can trick users into installing the software when they can’t easily close the ads. Some people regard it as scareware, since MacKeeper will warn users of serious problems that allegedly adversely affect a Mac’s health. After this led to a class-action lawsuit settled with a $2 million refund fund, IDG News Service asked AV Comparatives to test the latest trial version of the software.
Although MacKeeper was installed on a fresh, fully patched version of OS X in the test and should have had no problems, the software “warned in red in several places with exclamation points that the computer's condition was ‘serious’ due to more than 500 MB of ‘junk’ files.” It “fixed” 85 files for free, but required the fully purchased program to clean more than 1,500 files with other “serious” issues.
684.8 TB of data exposed by publicly accessible MongoDB instances
This sort of exposure that results in putting users at risk is not unique to MacKeeper, which had an “open” configuration on its MongoDB database instance. In fact, John Matherly, the founder of Shodan, found “684.8 TB of data exposed by publicly accessible MongoDB instances.” He wrote, “At the moment, there are at least 35,000 publicly available, unauthenticated instances of MongoDB running on the Internet.”
Back in July, Matherly warned that a quick search on Shodan produced thousands of MongoDB instances that had no authorization enabled. After the MacKeeper leak, he searched and found an additional 5,000 instances exposed. He also noted, “I can't stress enough that this problem is not unique to MongoDB: Redis, CouchDB, Cassandra and Riak are equally impacted by these sorts of misconfigurations.”
If and when the next MongoDB “breach” is discovered, if the company was so careless as to leave its system exposed and could not be bothered by attempting to protect the data with a password, then it had better not even try to pretend that it cares about the privacy and security of its customers. Do companies really believe that customers are so gullible as to believe that? Basically that is like calling your customers “stupid” and if you think that makes people want to purchase your product...then think again.