Weight Watchers internal infrastructure exposed due to unprotected server
A critical server for popular weight-loss service, Weight Watchers, was left unprotected, allowing researchers to take a bite out of dozens of exposed S3 buckets containing company data and AWS access keys. Researchers discovered a Weight Watchers Kubernetes administration console earlier this month that was accessible over the Internet without any password protection. Weight Watchers was notified and secured the console. Weight Watchers stated that its infrastructure was not compromised. Researchers did not see any personally identifiable information exposed.
The danger of the exposure is the availability of the root administration keys online that could have opened many doors for hackers. The researchers stated that the open console was Kubernetes, an open-source container orchestration tool developed by Google, that automates the deployment and monitoring of application containers. Researchers said there was no password set for the Kubernetes cluster, which was found on at least three IP addresses with a kubelet port 10250 exposed. This allowed access to all of the pod's specifications, including the AWS access key and several dozens of S3 buckets with company data. Overall, there were 31 users, including a user with root and administrative credentials and applications with programmatic access, impacted.
The words "public without password" and "administration interface" should never go together. By not properly protecting the administration console, Weight Watchers provided all the keys and information needed to gain full root access to their entire cluster. Weight Watchers responded in a timely manner and secured the console within same day, claiming though that this was a testing environment.
Researchers said that even if it was a test Kubernetes cluster, the DevOps responsible for it has no excuse. The Kubelet connection is not secure enough to be run across the internet. SSH tunnels must be used to securely put packets onto the cluster's network without exposing the Kubelet's web server to the internet. Researchers suggests that companies protect their administration interfaces via an array of measures, including restricting port ranges at the firewall and forcing access only via secure sockets.
Publicly accessible unprotected databases, administration interfaces and storage buckets have continued to be a simple to fix yet alarmingly widespread issue, resulting in reams of exposed critical data. In May, researchers established a PoC attack that could allow unauthenticated bad actors to extract user credentials from misconfigured reverse proxy servers, to extract data from websites and applications.