Gearbest Security Hole Affects Very Many Customers Worldwide

VPN Mentor has discovered a huge security hole affecting Gearbest customers. Gearbest is an international shopping site with hundreds of thousands of customers worldwide. It is not widely used in Norway, but they do have Norwegian customers.

VPN mentor hackers could access different parts of Gearbest’s database, including:

Orders database
Data includes products purchased; shipping address and postcode; customer name; email address; phone number
Payments and invoices database
Data includes order number; payment type; payment information; email address; name; IP address
Members database
Data includes name; address; date of birth; phone number; email address; IP address; national ID and passport information; account passwords

VPN mentor accessed these databases in March 2019 and discovered 1.5+ million records.

The database of Gearbest isn’t just unsecured. It’s also providing potentially malicious agents with a constantly-updated supply of fresh data.

Aside from VPN mentor’s ability to access complete sets of personally identifiable information for millions of users, the data breach raises several other very serious issues.

User Privacy

The Privacy Policy of Gearbest states that while they do collect user information, it is with the focused purpose of serving their customers.

The privacy policy also specifies that while users are responsible for their own passwords, they encrypt sensitive information and employ external verification software to protect customers.

The data viewed as a result of this hack reveals this to be untrue. VPN mentor saw lots of sensitive information – including email addresses and passwords – that was completely unencrypted.

Additionally, the database contains large amounts of personally identifiable information that is not required when completing the duties of an e-commerce store. For example, a shipping address is crucial to fulfilling orders. An IP address is not.

This is particularly worrying given the current trend towards a more open and honest internet. Services providers across multiple industries, ranging from CyberGhost VPN to Walmart (both of whom have recently published transparency reports), strive to increase transparency for their customers. Gearbest’s shady practices do the opposite.

Gearbest seems to infringe on their own privacy policy. However, this isn’t the most significant risk to user privacy here.

User Safety

An open database filled with personal information can compromise users’ safety online. The records VPN mentor saw show full sets of unencrypted data, including email addresses and passwords.

(It’s worth noting that some email addresses contained some hashing. VPN mentor doesn’t know if this was intentional and should have appeared everywhere, or if some of their data corrupted. VPN mentor hackers believe that it was a partially-implemented security measure that is simply not doing its job.)

The screenshot below shows snippets from two set of user data VPN mentor harvested from the database.

VPN mentor was able to log in to these two Gearbest accounts and operate them, impersonating the actual users. Their hackers could view current and past orders, accumulated Gearbest points, and change the account password and details.

Hackers could use this information to create “local” damage: by accessing user accounts using their email and password, they can change user orders, manipulate account details, and spend monies from saved payment methods.

However, this information could also be used in a far more sinister way. By cross-referencing different databases, hackers could easily steal Gearbest’s customers’ identities.

As seen below, the Members database includes this user’s IP address, full postal address, email address, birth date, and, most worryingly, their national identity number.

Depending on the country and requirements, this could be enough information to give hackers access to online government portals, banking apps, health insurance records, and more.

Payment Details

When examining the Payments and Invoices database, we noticed the term “Boleto” appeared multiple times, exclusively in reference to Brazilian orders (Brazil accounts for 9.2% of Gearbest’s global traffic).

It refers to Boleto Bancario (literally, “Bank Ticket”), a payment method which is regulated by the Brazilian Federation of Banks.

It’s similar to the Oxxo payment system used in Mexico. Oxxo allows users to create a voucher which functions like a debit card: users load the amount of their choosing, and can spend what’s available. Each voucher features a unique bar code; this gives users access to their money.

In the database we accessed, payments made using either of these methods include a URL for «ebanx». These links show the active vouchers used, complete with their cash amounts. The data also includes Oxxo and Boleto vouchers’ unique barcodes. This information allows hackers to act as regular users. VPN mentor could also access customer’s receipts, complete with their banking information.

Order Details: Sex Toy Scandal

The exact content of people’s orders is visible in the Orders database. The exact make, color, size, and cost of each item can all be viewed, along with the user name and shipping address.

Compared to other information available across these unprotected databases, this doesn’t seem particularly shocking. However, the content of some people’s orders has proven very revealing – and in some instances, even life-threatening.

Hidden in the “Sales” section of Gearbest’s “Apparel” category, users can find a vast array of sex toys. The nature of the store’s open database means the details of your private purchases could quickly become public knowledge.

For many adults across the world, purchasing sex toys is not problematic. For example, the orders shown in the image below belong to customers in Greece and Brazil.

These countries have very permissive laws regarding sexuality and homosexuality. For context, Brazil hosts the world’s largest Pride parade, and same-sex relationships have been legal in Greece since 1951. While the content of such orders being released could be embarrassing for the buyer, the publication of such information could not result in legal repercussions.

However, this is not the case everywhere. While examining the database, we came across order information for a male Pakistani user.

This customer purchased a silicone dildo; in fact, further inspection of the database shows that he actually bought three. Each purchase includes slightly different information, which is why a street address does not appear in the image above.

Pakistan does not enjoy the same liberal attitude to sexuality that many Western countries take for granted.

The country’s strict laws stipulate that adultery and pre-marital sex are criminal offenses, punishable by imprisonment and fines. The country’s religious laws also allow for death by stoning or corporal punishment.

LGBT rights are limited, and the same punishments are applicable

The LGBT community also suffers social stigma, a lack of legal protection, and an Islamized society which precludes acceptance of LGBT people.

It’s also worth noting that culturally, it is unlikely that the buyer made this purchase for his wife.

These laws make our Pakistani shopper a prime example of why Gearbest’s open database is so dangerous. A simple search gave us his full name, email address, street address, and IP address. A more detailed search could probably show us his date of birth and account password, letting us see his previous order information.

We’re not malicious and are sharing this (highly censored) information to highlight the dangers of this open database. Others may have very different intentions. In the Pakistani government’s hands, this information could mean a literal death sentence for this user.

How Gearbest is Harming Itself

Gearbest is exposing millions of users’ data. However, the company is also hurting itself.

The indices VPN mentor hackers discovered aren’t just for their user databases. They also included URL access to the Kafka system of Gearbest (and Globalegrow).

Kafka is a data management program that helps large corporations control the amount of site data sent through each of their servers. This serves two purposes: it prevents server overload and maintains efficiency, and allows companies to collect big data.

This kind of access allows malicious hackers to manipulate information, reassign database properties, and even disable entire sections of the company’s server. Depending on the function of each server, this could disrupt data collection, order placement, and stock and warehouse management.

Ethical Hacking

We discovered this breach as part of an ethical hacking project. Noam Rotem, a well-known white hat activist & hacker, along with Ran L. and their team, is running a web scanning project which examines IP blocks and system holes for data leaks.

They verified the database’s owners by creating, entering, and identifying data.

They discovered that Globalegrow’s entire database is unprotected and mostly unencrypted. The company uses an Elasticsearch database, which is ordinarily not designed for URL use. However, we were able to access it via browser and manipulate the URL search criteria into exposing up to 10,000 schemata from a single index at any time.

As ethical hackers, we are obliged to reach out to websites when we discover security flaws. This is especially true when a company’s data breach affects so many people – and in Gearbest’s case, this issue impacts hundreds of thousands of people every day.

However, these ethics also mean we carry a responsibility to the public. Gearbest shoppers should be aware of the risks they take when using a website that makes no effort to protect the customers.

VPN mentor repeatedly contacted both Gearbest and Globalegrow to inform them of this breach, and to let them when we would be publishing this article. They had several days’ notice. Unfortunately, VPN mentor repeated attempts to ask these companies to step up and protect their users have been unsuccessful. At the time of publication, we were yet to receive a response.

Past Reports

VPN mentor recently revealed that Dalil experienced a massive data breach. Dalil is Saudi Arabia’s largest phone directory app, and the breach affected more than 5 million users. You may also want to read VPN mentor report of fake apps used in Iran to monitor users, VPN Leak Report and Data Privacy Stats Report.

Please share the original report on Facebook or tweet it.