Fieldwork Software database leak exposed sensitive SMB records, customer credit card details

Once in a blue moon, however, the owner of leaky servers will take warnings seriously.
Written by Charlie Osborne, Contributing Writer

Researchers have uncovered a database exposed on the Internet owned by Fieldwork Software which leaked extensive financial details belonging to business clients. 

vpnMentor cybersecurity researchers Noam Rotem and Ran Locar revealed their findings on Monday. In a blog post, the team said 26GB of data was exposed in the breach.

The leak was found as part of vpnMentor's web scanning project, in which ports are checked and analyzed for open databases and the accidental public disclosure of sensitive, corporate data. 

Anstar-owned Fieldwork is a platform marketed towards SMBs with a particular focus on small companies offering home services. The cloud-based solution can be used to track employees making house visits, to establish CRM records, and includes features such as scheduling, invoicing, and payment systems.

The variety of information exposed by the open database was vast. Customer names, addresses, phone numbers, emails and communication sent between users and clients, instructions, and photos of work sites were included. 

See also: Unsecured database exposes 85GB in security logs of major hotel chains

However, there were other datasets which proved to be more serious. The GPS locations of clients, IP addresses, billing details, signatures, and full credit card details -- including card number, expiration date, and CVV security code -- were also involved. 

A significant finding was the discovery of automatic login links used to access the Fieldwork service portal. If a threat actor harnessed these links, they could gain access to the platform's backend system and administration -- which, in turn, would give them license to cause havoc for the company and its customers. 

"Access to the portal is a particularly dangerous piece of information," the researchers say. "A bad actor can take advantage of that access not just by using the detailed client and administrative records stored there. They could also lock the company out of the account by making backend changes."

CNET: US Customs and Border Protection reportedly suspends subcontractor over cyberattack

Hackers could have used the exposed information to strike physical locations, too. While the logs appeared to be kept in the leaking database for only 30 days before being sent to other systems, they contained appointment times and instructions for accessing buildings including alarm codes, lockbox codes, passwords, and descriptions of where keys were hidden. 

"Fieldwork markets its products to small businesses, which have fewer financial resources available if they're shut down by a hack," the researchers noted. "When hackers can infiltrate a system, they have a lot of options open to them. Shutting down operations will cost the company significant amounts of money. A hacker could also sell stolen data to a competing company."

vpnMentor disclosed the existence of the leaking database prior to public disclosure. Fieldwork, to its credit, jumped on the case and closed the leak within 20 minutes of receiving the researchers' email. 

TechRepublic: DevOps will fail unless security and developer teams communicate better

It is, unfortunately, often the case that notifications of data breaches or leaks are met defensively and it can take days, if not weeks, to plug security holes which place customer data at risk -- and so when a company tackles these issues so rapidly, it is refreshing -- but sadly a rarity. 

Fieldwork has not responded to requests for comment at the time of writing. 

These are the worst hacks, cyberattacks, and data breaches of 2019 (so far)

Previous and related coverage

Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0

Editorial standards