A breach in the servers of Cosentino, a multinational that manufactures surfaces and stones for architecture and domestic design projects, exposed the company’s customer data around the world. The failure appeared in the system for issuing guarantee certificates, which could be manipulated in a simple way to reveal personal information of all consumers of the company’s products, such as full names, telephone numbers, e-mails and addresses.
The problem stemmed from a simple flaw in the configuration of the brand’s infrastructure, which focuses on sustainability and supplies stones and other products to be used in countertops, furniture, coatings and facades. Registration on the company’s website is required to obtain a 25-year warranty certificate against breakage, chips and manufacturing defects, with information on customers and the property where the parts are installed.
According to Cybernews security experts, who revealed the opening, that’s where the problem lay. The document was issued in a PDF, whose URL could be manipulated to exchange customer identification data; thus, having a single link, it was possible to access the guarantee certificates of all other consumers who had data present on the server, without any type of identity verification.
While the certificates were accessed in a single way, by manipulating a client ID available in the URL, a simple script would be enough for all data to be collected sequentially and automatically. The result would be the composition of a bank of information on Cosentino’s clients, an idea that becomes even more serious when one considers the brand’s focus on high-end projects.
In addition to the widespread exposure, which could result in the leakage of data from virtually all of Cosentino’s customer base, the documents also contained details about product resellers and the material applied in the places. In possession of such information, criminals could carry out phishing attacks impersonating the manufacturer or its commercial partners, in order to obtain more personal details of customers, in addition to financial information or improper payments.
According to Cybernews, Cosentino was contacted and closed access without authentication to the certificates. However, it is not possible to know if the volume was accessed and downloaded by malicious third parties for use in attacks. Databases, however, were not found for sale or posted on surface web cybercriminal forums.
Brazil is one of the main markets for Cosentino, which does business in over 80 countries and has a factory in our country. O canaltech contacted the company in search of more details about the exhibition, mainly about the presence of Brazilians among the compromised data, but had not received a response until publication.
Source: Cybernews
Trending on Canaltech:
