How personal data of patients and doctors could be affected due to the open ClickHouse database (updated)

    I write a lot about finding freely available databases in almost all countries of the world, but there is almost no news about Russian databases left in the public domain. Although he recently wrote about the “Kremlin’s hand”, which the Dutch researcher discovered with fright in more than 2,000 open databases.


    There may be a misconception that everything is wonderful in Russia and the owners of large Russian online projects are responsible for storing user data responsibly. I hasten to debunk this myth on this example.


    Apparently, the Russian medical online service DOC + managed to leave the ClickHouse database with access logs in the public domain. Unfortunately, the logs look so detailed that the personal data of employees, partners and customers of the service could be exposed to a possible leak.



    First things first ...


    Дисклеймер: вся информация ниже публикуется исключительно в образовательных целях. Автор не получал доступа к персональным данным третьих лиц и компаний. Скриншоты взяты либо из открытых источников, либо были предоставлены автору анонимными доброжелателями.


    With me, as with the owner of the Telegram channel " Information Leaks ", a channel reader contacted me, who wished to remain anonymous and reported the following:


    An open ClickHouse server was discovered on the Internet, which belongs to doc +. The IP address of the server matches the IP address to which the docplus.ru domain is configured.

    From Wikipedia: DOC + (New Medicine LLC) is a Russian medical company that provides services in the field of telemedicine, calling a doctor at home, storing and processing personal medical data . The company received investments from Yandex.


    Judging by the information collected, the ClickHouse database was indeed freely available, and anyone knowing the IP address could get data from it. This data supposedly turned out to be service access logs.



    As can be seen from the picture above, in addition to the web server www.docplus.ru and the ClickHouse server (port 9000), the open MongoDB database "in which there is nothing interesting, apparently" hangs on the same IP address.


    As far as I know, the Shodan.io search engine was used to detect the ClickHouse server ( I wrote separately about how researchers discover open databases ) in conjunction with a special ClickDown script that checked the found database for lack of authentication and listed all its tables. At that time, there seemed to be 474 of them.



    From the documentation it is known that by default, the ClickHouse server listens for HTTP on port 8123. Therefore, to see what is contained in the tables, it is enough to execute something like this SQL query:


    http://[IP-адрес]:8123?query=SELECT * FROM [название таблицы]

    As a result of the query, it could probably return what is indicated in the screenshot below:



    From the screenshot it is clear that the information in the HEADERS field contains data on the user's location (latitude and longitude) of the user, his IP address, information about the device from which he connected to the service, OS version, etc.


    If it occurred to someone to modify a SQL query a bit, for example, like this:


    http://[IP-адрес]:8123?query=SELECT * FROM [название таблицы] WHERE REQUEST LIKE ‘%25Profiles%25

    it could return something similar to the personal data of employees, namely: name, date of birth, gender, TIN, address of registration and actual place of residence, phone numbers, positions, email addresses and much more:



    All this information from the screenshot above is very similar to the data of the personnel department from 1C: Enterprise 8.3.


    Having looked at the API_USER_TOKEN parameter , you might think that this is a “working” token with which you can perform various actions on behalf of the user - including receiving his personal data. But of course I cannot say this.


    At the moment, there is no information that the ClickHouse server is still freely available at the same IP address.


    New Medicine LLC has spawned an official statement on the incident. The statement contains many letters, summarizing briefly: “Minor leak. Human factor. Less than 1%. Test environment (on the main IP!) ”. I’m not too lazy to read the entire statement:


    The company New Medicine LLC (DOC +) is the operator of personal data, and therefore takes all protection measures required by law. The company has introduced modern security equipment that has passed the necessary certification procedures by the FSB and FSTEC. Built internal processes of management and control over the state of security of information systems in which personal data is processed. The policy for the protection and processing of personal data is available for study on our website.

    DOC + uses the ClickHouse service to debug the functionality of improvements to client products. ClickHouse loads data from a test and production environment. ClickHouse service operates on the company's servers, access to which is strictly regulated and limited. The appearance of data from ClickHouse in the public domain was due to an error related to the human factor. Access to data was promptly closed on 03/17/19 immediately after the publication of the vulnerability. The company regularly analyzes vulnerabilities in the personal data protection system, and this error would have been necessarily detected and corrected. Unfortunately, we did not have time to do this until other specialists discovered the error.

    An insignificant amount of data was temporarily made publicly available, which cannot lead to negative consequences for employees and users of the DOC + service. At the time of the incident, ClickHouse had data mainly from the test environment. The public data of clients that are in the public domain are depersonalized; it would be possible to identify the subject of personal data on them only when the entire database was received. An analysis of the history of accessing the database and outgoing traffic from our servers suggests that the leak could affect <1% of all information.

    The fact of the incident is ongoing internal proceedings. We are developing and have already begun to implement additional measures to further tighten data protection. We regret the incident, but once again emphasize the absence of negative consequences for our customers. Your safety and privacy are a priority of the entire DOC + team from the first days of the company.

    Also popular now: