Maria Montero

At Blind, a security lapse revealed private employee complaints …

Thousands of people Trusted Blind, an app-based “anonymous social network,” as a secure way to reveal wrongdoing, wrongdoing and misconduct in your companies.

But Blind exposed one of its database servers without a password, making it possible for anyone who knew where to look to access each user’s account information and identify potential whistleblowers.

The South Korean-founded company made its way into the US in 2015, when it quickly became a very popular anonymous social network for major tech companies, promoting employees from Apple, Facebook, Google, Microsoft, Twitter, Uber and more. Last month, Blind raised another $ 10 million in new funding after a $ 6 million increase in 2017. But it was only when the social network became the root of several high-profile scandals that Blind gained widespread attention, including the disclosure of sexual harassment allegations at Uber, which later blocked the app on its corporate network.

The exposed server was found by a security researcher, who goes by the name Mossab H, who informed the company of the security lapse. The security researcher found one of the company’s Kibana dashboards for its back-end ElasticSearch database, which contained multiple tables, including private messaging data and web content, for both its US and Korean sites. Blind said that the exposure only affects users who registered or logged in between November 1 and December 19, and that the exposure relates to “a single server, one among many servers on our platform,” according to the Blind executive Kyum Kim in an email. .

Blind only pulled the database after TechCrunch followed up via email a week later. The company began emailing its users on Thursday after we requested a comment.

“When developing an internal tool to improve our service for our users, we became aware of an error exposing user data,” the email told affected users.

Kim said there is “no evidence” that the database was misused or misused, but did not say how he came to that conclusion. When asked, the company would not say whether it will notify US state regulators of the breach.

Blind CEO Sunguk Moon, who was copied in many of the emails with TechCrunch, did not comment on or acknowledge the exposure.

At its core, the app and the anonymous social network allow users to register using their corporate email address, which is said to be linked only to Blind’s member ID. Email addresses are “used for verification only” to allow users to speak to other anonymous people in your company, and the company claims that the email addresses are not stored on their servers.

But after reviewing some of the exposed data, some of the company’s claims don’t hold up.

We found that the database provided a real-time stream of user logins, user posts, comments, and other interactions, allowing anyone to read private comments and posts. The database also revealed unencrypted private messages between members, but not their associated email addresses. (Given the high sensitivity of the data and the privacy of affected users, we do not publish data, screenshots or specific data of user content).

Blind states on its website that its email verification “is secure, as our proprietary infrastructure is configured so that all account information and user activity is completely disconnected from the email verification process.” He adds: “This effectively means that there is no way to trace your activity on Blind to an email address, because even we can’t.” Blind claims that the database “does not show any mapping of email addresses to nicknames,” but we found streams of email addresses associated with members that have yet to be published. In our brief review, we did not find any content, such as comments or messages, linked to email addresses, only a unique member ID, which could identify a user who posts in the future.

However, many records contained plain text email addresses. When other records did not store an email address, the record contained the user’s email as an unrecognized encrypted hash, which can be decryptable by Blind employees, but not by anyone else.

The database also contained passwords, which were stored as an MD5 hash, an outdated algorithm that is now easy to crack. Many of the passwords were quickly cracked using tools available when we tried. Kim denied this. “We don’t use MD5 for our passwords to store them,” he said. “The MD5 keys were a record and they don’t represent how we manage data. We use more advanced methods like salty hashing and SHA2 to protect user data in our database. ”(Logging in with an email address and unencrypted password would be illegal, therefore we cannot verify this claim). That can put employees at risk using the same password in the app when logging into their corporate accounts.

Despite the company’s apparent efforts to disassociate email addresses from its platform, the database login records also stored user account access tokens, the same type of tokens they recently put in. risk Microsoft and Facebook accounts. If a malicious actor were to grab and use a token, they could log in as that user, effectively removing any anonymity they might have had from the database in the first place.