14
Dec 15

13 Million MacKeeper Users Exposed

The makers of MacKeeper — a much-maligned software utility many consider to be little more than scareware that targets Mac users — have acknowledged a breach that exposed the usernames, passwords and other information on more than 13 million customers and, er…users. Perhaps more interestingly, the guy who found and reported the breach doesn’t even own a Mac, and discovered the data trove merely by browsing Shodan — a specialized search engine that looks for and indexes virtually anything that gets connected to the Internet.

mackeeperIT helpdesk guy by day and security researcher by night, 31-year-old Chris Vickery said he unearthed the 21 gb trove of MacKeeper user data after spending a few bored moments searching for database servers that require no authentication and are open to external connections.

Vickery told Shodan to find all known instances of database servers listening for incoming connections on port 27017. “Ports” are like doorways that govern access into and out of specific areas of a server, and each port number generally maps to one or a handful of known Web applications and services. Port 27017 happens to be associated with MongoDB, a popular database management system.

In short order, Vickery’s request turned up four different Internet addresses, all of which he later learned belonged to Kromtech, the company that makes MacKeeper.

“There are a lot of interesting, educating and intriguing things that you can find on Shodan,” Vickery said. “But there’s a lot of stuff that should definitely not be out there, and when I come across those I try to notify the owner of the affected database.”

Vickery said he reached out the company, which responded quickly by shuttering public access to its user database, and publicly thanking him for reporting it.

“Some 13 million customer records leaked from is aware of a potential vulnerability in access to our data storage system and we are grateful to the security researcher Chris Vickery who identified this issue without disclosing any technical details for public use,” the company said in a statement published to its site totday. “We fixed this error within hours of the discovery. Analysis of our data storage system shows only one individual gained access performed by the security researcher himself. We have been in communication with Chris and he has not shared or used the data inappropriately.”

Kromtech said all customer credit card and payment information is processed by a 3rd party merchant and was never at risk.

“Billing information is not transmitted or stored on any of our servers. We do not collect any sensitive personal information of our customers,” the statement continues. “The only customer information we retain are name, products ordered, license information, public ip address and their user credentials such as product specific usernames, password hashes for the customer’s web admin account where they can manage subscriptions, support, and product licenses.”

Vickery said Kromtech told him its database had been inadvertently exposed as a result of a server misconfiguration that was introduced just last week. But Vickery said he doubts that’s the case, because some of the Shodan records he found that pointed back to Kromtech’s database were dated mid-November 2015.

“The funny thing is, I don’t even own a Mac, and I had never heard of MacKeeper until last night,” Vickery said. “I didn’t know it was some sort of scamming scareware or software that pushes itself on people. The irony here is pretty thick.”

Vickery said he was able to connect to the database that Shodan turned up for him just by cutting and pasting the information into a commercial tool built to browse Mongo databases. Asked whether he’s worried that some clueless organization or overzealous prosecutor might come after him for computer hacking, Vickery said he’s not concerned (for background, see the controversy over bone-headed cases brought against researchers under the Computer Fraud and Abuse Act).

“It’s a concern, but I’ve made peace with that and you can’t live your life in fear,” he said. “I feel pretty confident that if you configure a server for public access — without authentication — and it gets publicly accessed, that’s not a crime.”

I admire Vickery’s courage and straightforward approach, and his story is a good reminder about the importance of organizations using all of the resources available to them to find instances of public access to sensitive or proprietary data that shouldn’t be public.  Consider taking the time to learn how to use Shodan (it’s actually fairly intuitive, but some data may only be available to paying subscribers); use it to see if your organization has unnecessarily exposed databases, networking devices, security cameras and other “Internet of Things” devices.

Finally, if you’re a MacKeeper customer and you re-used your MacKeeper user password at other sites, it’s now time change that password at the other sites — and not just to your new MacKeeper password! For more password do’s and don’ts, check out this primer.

Tags: , , , , ,

27 comments

  1. Now ask the 2 questions:

    How long are they storing the access logs?

    If it’s more than a reasonable period, how is that legal?
    If it’s just 30 days, how would they tell who nicked the data beforehand?

  2. “Finally, if you’re a MacKeeper customer and …”

    Stop right there! You need to ask yourself why.

    Did the logo remind you of the robot in Wall-E?

  3. Wonder if they are looking for some new personnel in the IT security office? Umm, do they HAVE an IT security office?

    After all “your security is impotent to us”

    Jonathan @NC3mobi

  4. Holy crap! What is the extent of information that Kromtech is storing about their customers? A 21GB database is HUGE! That’s roughly 1.6MB of data per user. They could store a rolling history of all the applications on every computer they’re “fixing” for years in that much space.

  5. I’m confused – in the third paragraph, you mention “port 27101” in on place and then “Port 27017” two sentences later – is this correct?

  6. The most shocking thing about this story to me is that 13 million Mac users are naïve enough to happily install scare-ware for Macs… I doubt that “Windows AntiVirus Tool” has 13 million paying customers.

    • It’s not how that works—it’s not naive users as such. MacKeeper’s previous owners, if you believe the chain of ownership story, had a very liberal affiliate program, and the software was bundled in sorts of adware wrappers. Unfortunately, many Mac users still rely on third-party download sites to get software updates, or find them when searching on Google. Many top software packages for Mac show up via SEO in listings on these update sites instead of from the actual developer site. Search on “Skype for Mac”, as an example. MacKeeper’s current owner has some affiliate relationships outstanding (though seemingly fewer), and advertises extremely heavily.

      The software isn’t terrible, by all accounts, but as a subscription service that’s difficult to uninstall, it’s unreasonable. You can find comparable software for $15 to $30 that’s a one-time fee and doesn’t use dubious advertising techniques.

      13 million sounds high, but when you’re a normal user and you get a popup that warns you your system is in danger, and you just need to fill out a form to pay a fee to get it fixed, a lot of people do. Those folks may be naive, but most didn’t set out to find and install the software.

  7. The Reddit thread on this – which I believe was started by Chris Vickery – notes that the passwords he found were weakly secured: Hashed with MD5, no salt.

    Between that and the fact that the DB was open to the world, you have to wonder at MacKeeper’s security in general. I don’t know anything about the company, but that is a gaping hole to leave open like that. They’re lucky it was a responsible researcher who found the problem.

    • Addendum: The 9to5Mac site also picked up on the weak password hashing.

      And: Wow, MacKeeper doesn’t have a good rep among Mac users it seems. I don’t know the company, so I don’t know how to judge them, but if they were lowly regarded even before this exposure, they must be hitting bottom right now.

  8. Way to go Mr. Vickery. Kromtech is lucky that YOU, a moral security researcher stumbled across the database before a more malicious party budded in. This story really got me thinking about the moral and ethical issues stemming from being an open and honest security researcher, who simply wants to help. Would it be best to ignore the vulnerabilities and issues we stumble upon on accident? Turn a blind eye and quite possible let the company learn the hard way? Because is it really worth helping out if it will only land you in hot water with the legal system? Back in the days of Adrian Lamo and Kevin Mitnick is seemed like you may get in trouble temporarily but a land of riches and fame awaited you on the other side. Since 9/11 I think even when you try to help you could simply be labeled a cyber terrorist instead. It’s a really interesting topic. Thanks Kevin.

  9. I regularly receive calls from family members requesting me to “check on” their computer because “something weird” is happening since X days. Logging remotely, it’s usually a bunch of malwares (like MacKeeper) that got installed at the same time they or their kids installing a “game” (Read: Download, double-click, Next-Next-Next-Next….Next without reading)

    No matter all the warnings I give them, the same thing happens again and again, over and over within on a very short time and I have to do it again. No matter how many red flags I give them, especially not doing bank transactions or trading stocks online from THAT specific computer. Nope… they simply don’t care.

    I’m telling you: People who get infected with this would probably end up with STDs in a matter of days if they were handling they sex life the same way… :S

    • I’ve had this happen many times as well, I warn a family member not to do something and they unintentionally do it again. It’s awful, then I ask about their banking and they generally say something along the lines of “Yeah I do it on this computer, but I figured it would be alright because it’s online”

  10. “Some 13 million customer records leaked from is aware of a potential vulnerability in access to our data storage system”
    Word salad much?

  11. Small observation – why did the “security researcher” feel the need to download all 21Gb of records for 13M people? I would think that downloading a sample of records, say a few hundred or a few thousand would be sufficient to confirm the vulnerability. What is the point of having all that data just to erase it?

  12. People have such a low view of Windows users while feeling such moral high ground simply for the idea of using a Mac. The Mac world suffers from the same blind naive following that the Windows world does. It can be so much worse for Mac though, just because so many people have bought into the notion that Macs are so safe that they are invulnerable (the spirit of Jobs will protect us). It’s all the same thing. There is ultimately only one solution and that is for each and every individual to start learning something about the equipment they own. The only thing that truly protects the Linux user is that these individuals tend to be a bit more tech savy. This is a perfectly reasonable expectation. It’s no different from expecting someone to actually have a drivers’ license if they are going to be driving a vehicle on public roads. Age means nothing. Gender, race, religion, and financial background means nothing. These 1’s and 0’s are not going to be very forgiving. Users cannot rely on Apple, Microsoft, Sony, Facebook, or government to keep them safe.

    Those who will not learn will be among the first to go down.

  13. Good Morning,

    I am given away a FREE PREVIEW of my upcoming book: EXPOSED! What You Ought To Know About Securing Your Business Information. The New Age Information Security Handbook.

    Please sign up today @ http://www.authordavidcruz.com

    Thanks for your time.

    David

  14. It would sure be nice for someone to host a website so that one could do a lookup of an email address to see if it’s in the hacked database. That way I’d at least know whether people I help with their computers are already exposed. And obviously, it would have to be outside of MacKeeper, since they would just start spamming any email address entered that they didn’t already have.

  15. John from Shodan blogged about this back in July 2015.

    https://blog.shodan.io/its-the-data-stupid/

    It seems as though Mr Vickery used the command-line shodan tool, downloaded a list of open MongoDB’s plugged the IP and port into RoboMongo or similar tool and found the MacKeeper DB – probably from reading John’s blog post.

    My last shodan count looks like there are over 10,800 MongoDB’s operated out of the US – most of which are using no authentication.