Researchers found that a critical Weight Watchers server revealed its IT internal infrastructure.
A critical server for popular weight-loss service Weight Watchers was left unprotected, allowing researchers to take a bite out of dozens of exposed S3 buckets containing company data and AWS access keys.
Researchers at Kromtech Security said that they discovered a Weight Watchers Kubernetes administration console earlier this month that was accessible over the Internet – without any password protection.
Weight Watchers, which has been notified and has secured the console, said that its infrastructure was not compromised. A Kromtech Security spokesperson told Threatpost that researchers did not see any personally identifiable information exposed.
“[Weight Watchers] also confirms that no customer data was impacted,” the spokesperson told Threatpost. “However, the danger of the exposure is the availability of the root administration keys online that – potentially – could have opened many doors for malicious actors.”
The researchers said the open console was Kubernetes, an open-source container orchestration tool developed by Google, that automates the deployment and monitoring of application containers.
Researchers said there was no password set for the Kubernetes cluster, which was found on at least three IP addresses with a kubelet port (specifically, port 10250) exposed.
For More Details :
https://threatpost.com/unprotected-server-exposes-weight-watchers-internal-it-infrastructure/132713/
