Swiss real estate agency Neho fails to put a password on its systems

A
misconfiguration
of
Swiss
real
estate
agency
Neho’s
systems
exposed
sensitive
credentials
to
the
public.

Neho,
a
Switzerland-based
real
estate
agency,
leaked
credentials
recently,
potentially
allowing
threat
actors
to
prey
on
sensitive
data
about
the
company
and
its
clients.

• A
  misconfiguration
  of
  Swiss
  real
  estate
  agency
  Neho’s
  systems
  exposed
  sensitive
  credentials
  to
  the
  public.
• Using
  leaked
  data,
  threat
  actors
  could
  potentially
  breach
  the
  company’s
  internal
  systems
  and
  hijack
  official
  communication
  channels.
• Real
  estate
  agencies
  handle
  sensitive
  data,
  including
  customers’
  personally
  identifiable
  information,
  bank
  account
  details,
  and
  other
  data
  highly
  valued
  by
  cybercriminals.
  Ensuring
  cybersecurity
  is
  vital.
• Cybernews
  reached
  out
  to
  Neho
  and
  the
  company
  fixed
  the
  issue.

The
Cybernews
research
team
discovered
a
misconfiguration
in
the
Neho.ch
website
that
exposed
sensitive
credentials
to
the
public,
potentially
allowing
threat
actors
to
take
over
the
company’s
systems.

The
company’s
website,
which
features
real
estate
classifieds,
receives
monthly
traffic
of
around
120,000
visitors.
With
an
annual
revenue
of
almost
$12
million,
Neho
claims
to
be
the
first
commission-free
real
estate
agency
in
the
country.

Cybernews
reached
out
to
Neho,
and
the
company
secured
access
to
their
systems.

Public
access
to
the
company’s
systems

On
March
18th,
the
Cybernews
research
team
discovered
a
publicly
accessible
environment
file
(.env)
hosted
on
the
official
Neho’s
website.

The
file
contained
PostgreSQL
and
Redis
databases
credentials,
including
host,
port,
username,
and
password.

Exposure
of
these
credentials
is
particularly
dangerous
as
it
grants
threat
actors
access
to
the
content
of
the
databases.
Given
that
the
databases
are
connected
to
the
internet,
it
makes
it
easier
for
attackers
to
access
them.

Among
the
leaked
data,
researchers
found Amazon
Web
Services (AWS)
Bucket
credentials
–
key
ID
and
secret.
Judging
by
the
name
–
‘neho-media’,
the
bucket
most
likely
stored
images.

While,
for
legal
reasons,
researchers
cannot
define
the
exact
content
of
the
bucket,
there’s
a
possibility
that
it
might
also
contain
sensitive
files
related
to
the
agency’s
customers
or
properties.

Researchers
also
stumbled
upon
Elasticsearch
AWS
credentials.
Typically,
these
instances
serve
as
potential
treasure
troves,
housing
crucial
information
such
as
customer
records,
payment
data,
and
a
myriad
of
other
invaluable
details.

Credentials
leaked
included:

• PostgreSQL
  database
  host,
  port,
  name,
  and
  password
• Redis
  database
  host,
  port,
  and
  password
• Mailgun
  host,
  username,
  and
  password
• Postmark
  API
  and
  SMTP
  credentials
• AWS
  Bucket
  access
  key
  ID
  and
  secret
• Twilio
  Account
  credentials
• Aircall
  API
  and
  tokens
• Elastic
  search
  AWS
  credentials
• Google
  Client
  ID
  and
  Secret
• Facebook
  Client
  ID
  and
  secret
• Trustpilot
  API
  key
  and
  secret
• Pricehubble
  credentials
• Movu.ch
  token
• Canny
  ID,
  keys
  and
  tokens
• TravelTime
  API

Corporate
communication
channels
at
risk

Another
piece
of
sensitive
information
observed
was
the
application
programming
interface
(API)
and
Simple
Mail
Transfer
Protocol
(SMTP)
credentials
for
Postmark
email-sending
services.
By
exploiting
these
credentials,
a
malicious
actor
could
use
the
company’s
official
email
to
deploy
phishing
campaigns
and
send
spam.

Among
leaked
credentials,
researchers
also
found
the
host,
username,
and
password
for
Mailgun
email
services
used
by
the
company.

If
these
credentials
were
to
fall
into
the
hands
of
malicious
actors,
it
could
enable
them
to
read
and
send
emails.
This
poses
a
significant
threat
as
it
opens
the
door
for
phishing
attacks
to
be
initiated
using
a
legitimate
Neho
email
address.

The
leaked
data
shows
that
the
company
has
been
using
Aircall,
a
cloud-based
call
center
software,
and Twilio,
a
communication
tool
for
making
and
receiving
phone
calls
and
text
messages.

These
communication
channels
between
the
company
and
clients
were
at
risk.
The
publicly
accessible
environment
file
exposed
the
Aircall
API
and
tokens,
as
well
as
the
Twilio
credentials,
enabling
threat
actors
to
hijack
them.

The
file
also
contained
Facebook
App
ID
with
a
secret
key,
and
Google’s
Client
ID
and
secret
key.
Leaking
these
credentials
is
a
cause
of
concern,
as
threat
actors
could
use
them
to
either
hijack
the
company’s
Facebook
and
Google
applications
or
request
user
data.

Additionally,
the
API
key
and
secret
used
to
access
Trustpilot,
a
review
platform,
were
exposed.
These
credentials
could
potentially
grant
access
to
Neho’s
account
on
the
platform,
enabling
malicious
actors
to
edit
or
delete
data
related
to
Neho,
and
damaging
its
reputation.

A
number
of
less
critical
credentials
were
also
exposed,
including
Pricehubble
credentials,
Movu.ch
token,
Canny
ID,
keys
and
tokens,
and
TravelTime
API.

What’s
at
stake?

The
type
and
volume
of
data
exposed
by
the
company
enable
threat
actors
to
launch
a
multitude
of
attacks
on
both
the
website
itself
and
its
users
with
relative
ease.

Cyberattacks
on
real
estate
agencies
are
hazardous,
as
the
companies
are
usually
entrusted
with
a
significant
amount
of
sensitive
data,
encompassing
crucial
personal
identifiable
information
(PII)
of
customers,
as
well
as
their
bank
account
details.
This
data
holds
immense
appeal
for
cybercriminals.

Using
Neho’s
leaked
data,
a
malicious
actor
might
have
completely
taken
over
the
company’s
internal
systems
and
used
privilege
escalation
and
lateral
movement
for
further
exploitation.

Threat
actors
could
leverage
the
data
present
in
the
databases
to
initiate
a
range
of
malicious
activities,
including
phishing
attacks,
fraudulent
marketing
campaigns,
and
identity
fraud.

Apart
from
the
risks
of
ransom
and
data
theft,
attackers
may
also
opt
to
duplicate
private
datasets
to
facilitate
further
intrusions.

The
company’s
response

In
their
official
statement,
the
company
stated
that
they
removed
the
exposed
environment
file
“immediately.”

“We
would
like
to
stress
that
we
often
rotate
our
keys
and
that
the
file
was,
for
the
most
part,
holding
obsolete
data
alongside
inactive
services
that
we
don’t
use
anymore,”
claimed
the
company.

Are
you
interested
to
know
how
to
avoid
the
risks?

Give
a
look
at
the
original
post
at

https://cybernews.com/security/neho-real-estate-agency-data-leak/

About
the
author:

Paulina
Okunytė,
Journalist
at
CyberNews

Follow
me
on
Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, Neho)

Share
On

About Author

AndyC

Andy Curtis is an award-winning security consultant, researcher and public speaker. He has been working in the computer security industry since the early 1990s, having been employed by state and federal government, leading healthcare and banking providers across three continents. He has given talks about computer security for some of the world’s largest companies, worked with law enforcement agencies on investigations into hacking groups, and is a regular voice on TV and radio explaining IT security threats.

See author's posts