MacKeeper Loses Control of User Data

Kromtech this week revealed a vulnerability in the data storage system of its MacKeeper software.

Security researcher Chris Vickery, who alerted the company to the problem with its server, pegged the number of MacKeeper users affected at about 13 million in a post on Reddit.

Kromtech posted a security alert about the breach on MacKeeper’s website.

The company fixed the error in its data storage system within hours of its discovery, it said.

The breach did not jeopardize highly sensitive data about its customers, Kromtech said. Credit card and payment information is processed by a third party, and the company’s servers don’t transmit or store billing information.

Casual Discovery

While using a search engine called Shodan to find servers that require no authentication and were open to external connections, some Internet addresses belonging to Kromtech caught Vickery’s eye. When he checked them out, he discovered he could access a database for Kromtech’s 13 million users.

Kromtech stores in the database users’ names, products ordered, license information and public IP addresses, it said.

It also stores user credentials such as product-specific usernames and password hashes for customers’ Web accounts from which they manage their subscriptions, support and product licenses.

Errors of Their Ways

Kromtech made at least three security errors that put its customers’ personal information at risk, Kunal Rupani, principal product manager forAccellion, told TechNewsWorld:

  1. It didn’t protect access to its customer database with a username and password.
  2. It didn’t make the IP addresses leading to the database private so they wouldn’t show up in search engines like Shodan.
  3. It used a weak hash algorithm, MD5, to protect passwords in the database.

“MD5 isn’t the most secure form of protecting passwords,” said Chris Ensey, chief operating officer ofDunbar Cybersecurity.

“It’s commonly broken,” he told TechNewsWorld. “It’s an algorithm that’s used to obfuscate but not fully encrypt passwords.”

Moreover, because of weaknesses in how MD5 scrambles passwords, hackers have developed lists of translations of MD5 hashes. Those translations list MD5 hashes and the common passwords they represent.

“So you can use a tool to break the MD5 hashes or compare them to already known hashes,” Ensey explained.

Time for Hackers to Act

Kromtech was aware of the weaknesses of MD5 and prepared to change how it hashed passwords before Vickery notified it of its database vulnerability, Kromtech spokesman Bob Diachenko said.

“During the last two days, we implemented a comprehensive internal review and [are] considering other options, like Blowfish,” he told TechNewsWorld.

Vickery was the only outside party accessing its customer database before the company closed the security gap he brought to its attention, Kromtech said.

“I don’t think they can prove that without a shadow of a doubt,” Dunbar’s Ensey said.

And while Kromtech closed the security gap Vickery identified quickly, there was still plenty of time for intruders using their own initiative to act.

“Although Chris Vickery was good about not posting details about how to access the database, it’s entirely possible that hackers could have figured it out once they knew the database was there,” said Thomas Reed, director of Mac offerings atMalwarebytes.

“The database was not secured for at least six hours after Vickery first tried getting Kromtech’s attention,” he told TechNewsWorld.

Series of Missteps

Moreover, the database may have been exposed to Net marauders longer than Kromtech would like the public to believe.

Kromtech told Vickery the security gap was created when the company reconfigured its servers last week, he said in an interview with security blogger Brian Krebs. Some of the Shodan search results pointing to the database dated back to mid-November.

“This breach is only the latest in a series of missteps by Kromtech and their predecessor, ZeoBIT,” Reed said.

“Earlier this year, hackers pushed malware that took advantage of a MacKeeper vulnerability to install silently on some Macs with MacKeeper installed,” he noted.

“Then there’s the issue of MacKeeper’s trustworthiness, which is very low, and includes not one but two class-action lawsuits alleging fraud, one of which was settled in favor of the plaintiff,” he added.

Advice for Users

In light of the security gap Vickery discovered, MacKeeper users should change their passwords as a precautionary measure.

“If they use the same password on any other accounts, they should change those as well, using a different password than the one they’re using with Kromtech,” Malwarebytes’ Reed recommended.

Users also should stay current with MacKeeper updates and be wary of any communication received from the company, Ensey said.

“You need to evaluate whether or not any contact and communication from MacKeeper is authentic,” he said. “You have to be suspicious of those emails and make sure they’re not a scam or spoof.”

John Mello is a freelance technology writer and contributor to Chief Security Officer magazine. You can connect with him on Google+.

1 Comment

  • "It also stores user credentials such as product-specific usernames and password hashes for customers’ Web accounts"

    For them to say they didn’t jeopardize highly sensitive customer data is bogus, by the above statement alone. You handed over keys to the kingdom for sites people will logically and reasonably use the same password for.

Leave a Comment

Please sign in to post or reply to a comment. New users create a free account.

More by John P. Mello Jr.
More in Cybersecurity

Technewsworld Channels