Last week it was reported that a security lapse at local firm LogBox had resulted in user accounts and patient data being exposed online.
The report came courtesy of security analyst Anurag Sen, who had contacted TechCrunch regarding the alleged security lapse.
As LogBox is a local firm and we have the benefit of picking up a phone to get in touch with it, we did.
A LogBox representative told us that the firm was investigating the claims made by Sen and that it would get in touch with Hypertext when it had investigated the matter.
That happened this week.
So, the first question we had was whether there was a breach, was this simply a vulnerability?
As LogBox tells it, the simple answer is, it was a vulnerability, but the full answer is a bit more complicated.
“The vulnerability was in a network firewall. It wasn’t a case of an unpatched or unserviced firewall; rather, there were two ports that were open and one of them was the port that was used by the white hat hacker to get access to the information they did,” a LogBox representative told Hypertext via teleconference this week.
Why were those ports open? The LogBox representative tells us that an Elastic-search database opens those ports by default at installation, and that they should have been subsequently closed.
“This was an inadvertent vulnerability. Patches are diligently applied to the operating system” the representative tells us.
“What happens is that access logs are piped across to the Elasticsearch database which is used purely for utility purposes. This includes things like performance and usage-monitoring. Through this port the white hat hacker had access to the database’s traffic related information,” LogBox added.
We’re told that the data Sen saw was completely separate from LogBox.
However, Sen also claimed that they had found thousands of access tokens for LogBox.
This is accurate and LogBox says it immediately addressed this matter.
“Even though the tokens have a limited lifespan, we swiftly revoked all of those tokens as a safeguard,” the representative said.
LogBox says that it doesn’t believe any data was compromised through this open port and exposed tokens. The firm says it has analysed the potential attack vectors and done significant amounts of forensic work to give it a satisfactory level of confidence that no data was compromised.
LogBox has also alerted its healthcare professional users to the fact that this incident occurred.
“We notified our corporate users, healthcare practitioners and a subset of individual users that we felt just may be more at risk – even though there was no evidence to suggest that any actual data was compromised. We invalidated those accounts’ passwords and forced them to reset,” the representative said.
LogBox says that it is not notifying every end user of the incident, and has instead relied on healthcare practitioners to alert their patients as they deem appropriate. While this sounded like LogBox was shifting responsibility, the representative said that from a privacy standpoint, it may be irresponsible to contact a doctor’s patients without the doctor’s knowledge.
We tend to agree with the firm on that front.
The firm has also filed both an interim report and a full report regarding the incident with the Information Regulator.
We’ve asked LogBox to keep us informed of any developments regarding this incident but as it stands, your data appears to be safe and the vulnerabilities which lead to this incident have been addressed.
