Security researchers said it was too easy to gain full system access when they came upon a Weight Watchers International,...
Inc. server that was left unsecured.
Researchers from Kromtech Alliance Corp., based in Dubai, found a Kubernetes console with no password protection that included data from dozens of Amazon S3 buckets, but, allegedly, no personal data was accessed in the Weight Watchers exposure.
"First, the words 'public without password' and 'administration interface' should never go together," Kromtech researchers wrote in a blog post. "By not properly protecting the administration console Weight Watchers provided all the keys and information needed to gain full root access to their entire cluster."
A Kromtech spokesperson said via email that the Weight Watchers exposure included the AWS access key, allowing the researchers to use the AWS command-line interface to discover "all associated keys, usernames/logins and accounts; 31 [identity and access management] users including a user with administrative credentials and applications with programmatic access; 46 S3 buckets and access credentials to them; and, EC2 infrastructure [consisting] of 156 instances including Compute, Memory, Storage Optimized and instances for General Purposes with billing logs for thousands of dollars."
However, there was some disagreement over the nature of the servers affected by the Weight Watchers exposure.
A spokesperson for Weight Watchers International Inc. said the issue was isolated to a testing environment.
"Last week, Weight Watchers received a report from security researchers related to the exposure of credentials in one non-production AWS account. The account was in a testing environment clearly labeled 'non-prod and is used only to test new services and features. Our internal team and a reputable third-party security forensics team have investigated the exposed account key scope and activity, and each has independently confirmed that there was no indication that any personally identifiable information was exposed," the spokesperson wrote via email. "We responded immediately to resolve the issue and have implemented safeguards to prevent it from recurring. We appreciate the efforts the security community makes to responsibly disclose concerns to improve the state of security on the internet."
Kromtech stood by its assessment of the Weight Watchers exposure.
"We did investigate the exposed console data and the analysis that we've done led us to the conclusion that it was a production account, indeed. While some of the associated accounts did indeed have a 'non-prod' label, most of them were production-wise," the spokesperson said via email. "In order not to violate [the Computer Fraud and Abuse Act] we did not use the found credentials to access the infrastructure, but the amount of exposed info and their nature gave us a firm belief that this data was real."