200.000 customers data of Deutsche Post public available

On the house-move portal of Deutsche Post, umziehen.de, for unknown time all customer’s data was available for everyone to download.

umziehen.de is a web page collecting your data and helping you when you move from one location to the other. The service will create a post-forwarding service, inform requestors of your movement and provide you a check-list of what you additionally should think of while moving.

A reporter from a german magazin Die Zeit noticed, that the IT-Administrator of that web page (and as he noticed – also from several other pages) did not concern about security in any way. Despite of german reports, that only persons with “IT knowledge” would be able to read the data, in fact with just a little help of google it would be an easy way to actually read the data within shortest time.

MySQL – crate dump

It seems that umziehen.de is using the popular MySQL database management system, like many others out there. In the documentation of MySQL (and also on many howto-pages out there), the usual example to make a backup of the database is to “dump the data to dump.sql”

http://<webseite>/dump.sql

Giving it just a very simple try, the original author was able to download the latest SQL dump from the web site – no login, no password was necessary. Since dump contains used Version and a complete description how to re-create the database, it would be a simple way to re-create the whole database from Deutsche Post – including all customer’s data.

Some more research from the original author found several other web pages using the very same default name – and the public web service folder for its storage. Obviously, those IT-admins have absolutely know Idea what web security would mean.

Leave a Reply

Your email address will not be published. Required fields are marked *