Weight Watchers IT Infrastructure Exposed via No-Password Kubernetes Server

  • 0
Weight Watchers

Weight Watchers IT Infrastructure Exposed via No-Password Kubernetes Server

Category : Blog

Weight Watchers suffered a small Security Breach

Weight Watchers is the registered trademark of Weight Watchers International, Inc.

Just like many companies before it, weight loss program Weight Watchers suffered a small security breach after security researchers found a crucial server exposed on the Internet that was holding the configuration info for some of the company’s IT infrastructure.

The exposed server was a Kubernetes instance, a type of software for managing large IT networks and easily deploying app containers across multiple servers, usually on a cloud infrastructure.

Dozens of servers containing Weight Watcher’s data were left exposed after the company failed to password protect software used for managing application containers, according to German cybersecurity firm Kromtech.

An Amazon cloud infrastructure used by Weight Watchers was left vulnerable—46 Amazon S3 buckets in total—including logs, passwords, and private encryption keys, Kromtech found.

 

Weight Watchers

 

Weight Watchers ran a no-password Kubernetes instance

Researchers from German cyber-security firm Kromtech discovered that Weight Watchers forgot to set a password for the administration console of one of its Kubernetes instances.

This granted anyone knowing where to look (port 10250) access to this servers, without the need to enter a username and password.

All in all, the Kubernetes instances exposed an administrator’s root credentials, access keys for 102 of their domains, and 31 IAM users including users with administrative credentials and applications with programmatic access.

Weight Watchers added that its internal team and a third-party forensics company investigated the incident and that “each has independently confirmed that there was no indication that any personally identifiable information was exposed,” a spokesperson said.

The exposure was the result of a misconfigured Kubernetes instance, Kromtech said. Kubernates is a tool developed by Google for managing large numbers of applications. Notably, a Kubernetes instance on Telsa’s cloud infrastructure was hacked earlier this year, and then used by the perpetrators to mine cryptocurrency.

 

Kubernetes

 

Unclear what data was exposed

It is unclear if someone else besides the Kromtech team discovered this Kubernetes instance, but an attacker with access to this server would have been able to access a large part of Weight Watchers’ network.

It is also unclear what kind of data (user details?) these servers were storing, as the Kromtech team could not go wandering off inside Weight Watchers’ network without violating a slew of laws.

Diachenko and the Kromtech team said they reported the exposed server to Weight Watchers, who quickly remediated the issue, thanking the researchers.

 

Unclear Data

 

Weight Watchers claims it was a non-production network

“We really appreciate the community working to make us all safer,” a Weight Watchers spokesperson said in its response to Kromtech.

“We have confirmed the issue – a security group for a test cluster in our non-production account was misconfigured during testing. The issue should be resolved and keys should be revoked. We’ve also implemented some safeguards to protect against this issue from recurrence.”

But Kromtech disputes Weight Watchers’ explanation that this was a non-production account. Nonetheless, today, a Weight Watchers spokesperson stood by its initial statement.

“Last week, Weight Watchers received a report from security researchers related to the exposure of credentials in one non-production AWS account,” a company spokesperson told Bleeping Computer via email. “The account was in a testing environment clearly labeled ‘nonprod’ and is used only to test new services and features.”

“To be able to test and innovate securely, we keep test environments completely separate from production environments. Our internal team and a reputable third-party security forensics team have investigated the exposed account key scope and activity, and each has independently confirmed that there was no indication that any personally identifiable information was exposed,” the spokesperson told us.

Weight Watchers is certainly not the first company to have to deal with a leaky or non-protected server. Other companies that suffered a similar fate include Tesla, Honda, Universal, and Bezop, just to name a few.

 

Kromtech

 

 

Highest Selling Technical Courses of Indian Cyber Security Solutions:

Certified Ethical Hacker Training in Bhubaneswar

Ethical Hacking Training in Bhubaneswar

Certified Ethical Hacker Training in Bangalore

Ethical Hacking Training in Bangalore

Certified Ethical Hacker Training in Hyderabad

Ethical Hacking Training in Hyderabad

Python Training in Bangalore

Python Training in Hyderabad

Python Training in Bhubaneswar

Microsoft Azure Training in Hyderabad

Microsoft Azure Training in Bangalore

Microsoft Azure Training in Bhubaneswar

Networking Training in Bangalore

Networking Training in Hyderabad

Networking Training in Bhubaneswar

Advance Python Training in Hyderabad

Advance Python Training in Bangalore

Advance Python Training in Bhubaneswar

Amazon Web Services Training in Hyderabad

Amazon Web Services Training in Bangalore

Amazon Web Services Training in Bhubaneswar

Certified Ethical Hacker Certification – C | EH v10

Summer Training for CSE, IT, BCA & MCA Students 

Network Penetration Testing training

Ethical Hacking  training

Python Programming training

Android Training in Bangalore

Android Training in Hyderabad

Android Training in Bhubaneswar

Diploma in Network Security Training

Android Development  training

Secured Coding in Java

Certified Network Penetration Tester 

Diploma in Web Application Security 

Certified Web Application Penetration Tester 

Certified Android Penetration Tester 

Certified Python Programming 

Advance Python Training 

Reverse Engineering Training  

Amazon Web Services Training  

VMware Training 

 

Cybersecurity services that can protect your company:

Web Security | Web Penetration Testing

Network Penetration Testing – NPT

Android App Penetration Testing

Source Web Development

Source Code Review

Android App Development

Digital Marketing Consultancy

Data Recovery

 

Other Location for Online Courses:

Bhubaneswar

Bangalore

Hyderabad

 

 

 

 

 


Leave a Reply

Show Buttons
Hide Buttons