Security mistake at LogBox that exposed South African medical data explained

Johnatan56

Honorary Master
Joined
Aug 23, 2013
Messages
29,464
They also wanted to make clear that the database did not contain user account and patient data.

What Anurag Sen found was an Elasticsearch database that contained application logs.
[...]
The logs stored to this database included ephemeral user access tokens which could be used to access the LogBox accounts of patients and doctors. Under normal circumstances these tokens would only be valid for eight hours, LogBox explained.
Yes the patient data was totally kept protected if one could use that token to log in as someone else...

While LogBox told MyBroadband that it has no interest in pursuing legal action against TechCrunch or Anurag Sen, it still believes that both parties may have violated South African and United States law.
They first disclosed it to you and you didn't respond, you broke at least US law by not disclosing it, good luck suing there. I would love if a precedent could be set as ethical hacking is quite a grey area still.

1595061766297.png
But they're not secure according to the highest international standards, part of NIST is that there are policies based on user identity, if people could access those application logs without authorization, you did not follow the "highest" international standards.

Logbox can blame whomever they like, they still failed.
 

|tera|

Master of Messengers
Joined
Mar 31, 2006
Messages
25,880
From a technical standpoint the explanation is full of sht.

A misconfiguration of a firewall doesn't give access to information by default.
The information, like a database needs to be without security as well for this to happen.

Sounds like clutching at straws to me.
Edit: just read the article and it mentions the unsecured elastic search db.
 
Last edited:

Anthro

Expert Member
Joined
Jun 13, 2006
Messages
3,147
" Because of the circumstances, LogBox said that it can’t help but wonder whether someone who means them harm paid for Anurag Sen to search for security vulnerabilities in their platform. "

They didn't pentest their own applications, which leads me to think that 'the highest international standards" are not really in place for their security.
 

j4ck455

Executive Member
Joined
Jan 2, 2006
Messages
6,710
South African medical data startup LogBox inadvertently exposed account access tokens to the public Internet due to a firewall that was misconfigured.
“LogBox is a tiny, pitiful little business. It does have potential, but it’s small and has been attacked in his infancy,” the company told MyBroadband.
Founded in 2010, LogBox has become a rising star in South Africa, just last year partnering with Lancet Laboratories, a medical diagnostics company that operates in 11 African countries.
If LogBox was founded in 2010, it cannot be a startup nor can it be an infant.

While LogBox told MyBroadband that it has no interest in pursuing legal action against TechCrunch or Anurag Sen, it still believes that both parties may have violated South African and United States law.

Sen unequivocally committed an offence under the Electronic Communications and Transactions Act and his actions may be unlawful under the Protection of Personal Information Act,” LogBox said.

LogBox also argued that TechCrunch and Anurag Sen may have violated United States law under the Foreign Corrupt Practices Act.

Legal concerns aside, LogBox questioned how such a small business drew the attention of Anurag Sen and TechCrunch.
Ironically that misguided response from someone at LogBox could be described as infantile.

Sen reported the exposed database to the company but did not hear back. After TechCrunch reached out, the database was pulled offline.

When reached, LogBox director Neal Goldstein declined to comment by our deadline or answer any of our questions, specifically if LogBox planned to inform users or customers that data was exposed or if the company plans to report the incident to regulators.

Founded in 2010, LogBox has become a rising star in South Africa, just last year partnering with Lancet Laboratories, a medical diagnostics company that operates in 11 African countries.
LogBox was informed and chose to ignore the problem until it attracted media attention, LogBox needs to grow up, take off its stinky nappy, put on its big boy jean pant, and sort its **** out.
 

Rocket-Boy

Executive Member
Joined
Jul 31, 2007
Messages
9,959
Well then, considering medical data being involved that constitutes a US HIPA violation which carries financial penalties.
It also constitutes a POPIA violation in SA which also carries penalties.

It really comes down to being careless with data and security controls. Why would they even expose the Elastic DB to the internet?!?
Yeah naa the fault lies entirely with the company and they are now open to all manner of liabilities.
 

rustypup

Expert Member
Joined
Jan 28, 2016
Messages
2,491
LogBox was informed and chose to ignore the problem until it attracted media attention, LogBox needs to grow up, take off its stinky nappy, put on its big boy jean pant, and sort its **** out.

The go-to reaction every time these chuckledinks get caught exposing data. Attack the reporter. It's cheaper than actually carrying through on the promise of securing said data.
 

r00igev@@r

Executive Member
Joined
Dec 14, 2009
Messages
7,322
They must have employed the same PR as the banks. Never be transparent.
Regardless how can you blame someone else for not even having a password (which is cr@p at best) and say they have a vendetta against you???
 
Top