Just like many companies before it, weight loss program Weight Watchers suffered a small security breach after security researchers found a crucial server exposed on the Internet that was holding the configuration info for some of the company’s IT infrastructure.
The exposed server was a Kubernetes instance, a type of software for managing large IT networks and easily deploying app containers across multiple servers, usually on a cloud infrastructure.
Weight Watchers ran a no-password Kubernetes instance
Researchers from German cyber-security firm Kromtech discovered that Weight Watchers forgot to set a password for the administration console of one of its Kubernetes instances.
This granted anyone knowing where to look (port 10250) access to this servers, without the need to enter a username and password.
Once the Kromtech team found and connected to the Kubernetes server, they say they found details about the company’s internal IT infrastructure, such as AWS access keys, pod specifications, and several dozens S3 buckets holding the company’s data.
All in all, the Kubernetes instances exposed an administrator’s root credentials, access keys for 102 of their domains, and 31 IAM users including users with administrative credentials and applications with programmatic access.
Unclear what data was exposed
It is unclear if someone else besides the Kromtech team discovered this Kubernetes instance, but an attacker with access to this server would have been able to access a large part of Weight Watchers’ network.
It is also unclear what kind of data (user details?) these servers were storing, as the Kromtech team could not go wandering off inside Weight Watchers’ network without violating a slew of laws.
“We didn’t go inside, in order to avoid violations,” Kromtech researcher Bob Diachenko told Bleeping Computer today. “Instead, we looked up the list of services connected to the exposed AWS key pair, to understand the scale.”
Diachenko and the Kromtech team said they reported the exposed server to Weight Watchers, who quickly remediated the issue, thanking the researchers.
Weight Watchers claims it was a non-production network
“We really appreciate the community working to make us all safer,” a Weight Watchers spokesperson said in its response to Kromtech.
“We have confirmed the issue – a security group for a test cluster in our non-production account was misconfigured during testing. The issue should be resolved and keys should be revoked. We’ve also implemented some safeguards to protect against this issue from recurrence.”
But Kromtech disputes Weight Watchers’ explanation that this was a non-production account. Weight Watchers did not respond to a request for comment before this article’s publication in order to clarify other details surrounding the Kubernetes server exposure. Nonetheless, Kromtech says that “WeightWatchers responded that their infrastructure was not compromised,” meaning nobody else seems to have accessed those servers besides Weight Watchers employees.
Weight Watchers is certainly not the first company to have to deal with a leaky or non-protected server. Other companies that suffered a similar fate include Tesla, Honda, Universal, and Bezop, just to name a few.
Tesla, in particular, suffered a leak via a similar Kubernetes instance. Hackers even used the company’s Kubernetes instance to mine cryptocurrencies, a tactic that has become quite common these days for coin-mining attacks.