June 12, 2018
0

Weight Watchers IT Infrastructure Exposed via No-Password Kubernetes Server

Category : Blog

Weight Watchers suffered a small Security Breach

Weight Watchers is the registered trademark of Weight Watchers International, Inc.

Just like many companies before it, weight loss program Weight Watchers suffered a small security breach after security researchers found a crucial server exposed on the Internet that was holding the configuration info for some of the company’s IT infrastructure.

The exposed server was a Kubernetes instance, a type of software for managing large IT networks and easily deploying app containers across multiple servers, usually on a cloud infrastructure.

Dozens of servers containing Weight Watcher’s data were left exposed after the company failed to password protect software used for managing application containers, according to German cybersecurity firm Kromtech.

An Amazon cloud infrastructure used by Weight Watchers was left vulnerable—46 Amazon S3 buckets in total—including logs, passwords, and private encryption keys, Kromtech found.

Weight Watchers ran a no-password Kubernetes instance

Researchers from German cyber-security firm Kromtech discovered that Weight Watchers forgot to set a password for the administration console of one of its Kubernetes instances.

This granted anyone knowing where to look (port 10250) access to this servers, without the need to enter a username and password.

All in all, the Kubernetes instances exposed an administrator’s root credentials, access keys for 102 of their domains, and 31 IAM users including users with administrative credentials and applications with programmatic access.

Weight Watchers added that its internal team and a third-party forensics company investigated the incident and that “each has independently confirmed that there was no indication that any personally identifiable information was exposed,” a spokesperson said.

The exposure was the result of a misconfigured Kubernetes instance, Kromtech said. Kubernates is a tool developed by Google for managing large numbers of applications. Notably, a Kubernetes instance on Telsa’s cloud infrastructure was hacked earlier this year, and then used by the perpetrators to mine cryptocurrency.

Unclear what data was exposed

It is unclear if someone else besides the Kromtech team discovered this Kubernetes instance, but an attacker with access to this server would have been able to access a large part of Weight Watchers’ network.

It is also unclear what kind of data (user details?) these servers were storing, as the Kromtech team could not go wandering off inside Weight Watchers’ network without violating a slew of laws.

Diachenko and the Kromtech team said they reported the exposed server to Weight Watchers, who quickly remediated the issue, thanking the researchers.

Weight Watchers claims it was a non-production network

“We really appreciate the community working to make us all safer,” a Weight Watchers spokesperson said in its response to Kromtech.

“We have confirmed the issue – a security group for a test cluster in our non-production account was misconfigured during testing. The issue should be resolved and keys should be revoked. We’ve also implemented some safeguards to protect against this issue from recurrence.”

But Kromtech disputes Weight Watchers’ explanation that this was a non-production account. Nonetheless, today, a Weight Watchers spokesperson stood by its initial statement.

“Last week, Weight Watchers received a report from security researchers related to the exposure of credentials in one non-production AWS account,” a company spokesperson told Bleeping Computer via email. “The account was in a testing environment clearly labeled ‘nonprod’ and is used only to test new services and features.”

“To be able to test and innovate securely, we keep test environments completely separate from production environments. Our internal team and a reputable third-party security forensics team have investigated the exposed account key scope and activity, and each has independently confirmed that there was no indication that any personally identifiable information was exposed,” the spokesperson told us.

Weight Watchers is certainly not the first company to have to deal with a leaky or non-protected server. Other companies that suffered a similar fate include Tesla, Honda, Universal, and Bezop, just to name a few.