Legalinc is a legal-service provider based in Friscon, TX.
They are offering a wide range of services including Entity Management and Registered Agents Service.
Their Order Management System
The Order Management System (OMS) of Legalinc sends documents to end-users by sending a link to the document stored in AWS S3.
The used S3 bucket had no access policy, so it was public readable. This means that anybody could open each document in Legalinc’s OMS with a browser by just typing in the name of the document.
Unfortunately the document names were very easy to guess.
LegalInc sent links to their customers like this one:
After receiving one document it was pretty easy to determine the scheme:
https://<BUCKET_NAME>.s3.amazonaws.com/ <NUMERIC_ID> / <NUMERIC_ID> -final_packet.pdf
So if you just in- or decrement the numeric ID, you received the next document:
No Login. No access control. No temporary credentials. Open for anybody.
Fortunately not all documents where named with the same simple pattern, but our research showed that almost 10% of all stored documents had the mentioned name pattern.
This enabled us to download 29,035 documents in the numeric ID range of 100,000 to 400,000 by simply increasing the ID counter.
Due to the fact that forming legal entities seems to be the core service of Legalinc, most of the downloaded and analyzed documents are in context of founding a business entity.
Many documents consist of several parts like a Certificate of Incorporation, the Article of Organization and an Application for Employer Identification Number or a EIN assignment.
Most of the documents contain very private information like the beneficial owner of the company (including private address and SSN / Tax ID), the principal place of business or the assigned EIN.
There are also very many tax related documents like Annual Franchise Tax Report for Delaware based corporations.
The oldest found document is dated 2016. The newest one is just a few days old. Most of the documents are dated 2018 – 2019.
After finding this massive security hole we promptly informed Legalinc on Dec, 2nd 2019 to give them the ability to resolve this issue quickly. Legalinc reacted fast and closed the hole within a few days.
We decided to hold back this story to give LegalInc and it’s partners the ability to inform all impacted customers by themself.
In the meantime Stripe published a statement. Despite their statement as a Stripe Atlas customer I wasn’t informed about my documents been leaked.
The security hole seems to exist for at least 2 years now. You do not need a PhD in computer science to increase a number in your browser’s address bar. So it’s very unlikely that we are the first ones who found this.
Most probably those almost 30,000 documents have already been downloaded by groups that – in extreme contrast to us – are not interested in increase data security but to abuse the found information.
Each document contains enough information to pass the typical checks of a payment provider like PayPal. Perhaps are some foreign tax authorities also interested in some of the disclosed documents.
Why we discovered the breach
We found this breach as a result of our security research activities.
Our research team is investigating for possible vulnerabilities around the clock to be able to give the best security advises to our clients.
As ethical hackers we feel obliged to notify the affected company if we discover deficiencies in their online security. This applies in particular if the company’s data protection violation contains such private information.
However, this ethics also means that we have a responsibility towards the public. WPML customers must be aware of a data breach that affects them.
WaspCloud is a Cloud Security Research team.
We build custom-tailored security solutions for our clients and make the web more safe for all internet users.