Attackers are searching for online store backups in public folders. Can they find yours?

2023-02-07 15:27

Too many online store administrators are storing private backups in public folders and exposing database passwords, secret API keys, administrator URLs and customer data to attackers who know where to look.

The researchers have analyzed 2037 online stores of various sizes and running of various e-commerce platforms and found that 250 of them stored archive files in the public web folder, accessible to all.

"We have observed automated attacks against online stores, where thousands of possible backup names are tried over the course of multiple weeks. The attack includes clever permutations based on the site name and public DNS data, such as /db/staging-SITENAME.zip," the researchers explained.

Whether by mistake, due to inattention or just a lack of knowledge, some backups may end up in public folders, and online store admins would do well to check whether they are part of that statistic.

If backups were exposed, web server log files can show whether they were downloaded.

There are also ways to make sure to avoid exposing backups in the future, and they include actions such as configuring one's web server to restrict access to archive files and scheduling frequent backups so ad-hoc backups are avoided as much as possible.

News URL

https://www.helpnetsecurity.com/2023/02/07/online-store-backups-public/

#backup #online