The security research team at vpnMentor recently found a huge data leak.
Thousands of PayMyTab customer receipts have been accessible by anybody.
AWS S3 buckets
The large cloud provider AWS offers a service called S3 (Simple Storage Service). S3 is surely the most used cloud file storage in the world.
If you store files in storage folders (called buckets in S3) you can attach an access policy. Whitout an access policy the files are public accessible, which means everyone can access the file with simply typing in the name of the file in a browser address bar.
PayMyTabs use of S3
PayMyTab uses S3 to store customers receipts and gives customers access to their receipts by simple sending a link to the receipt via email to the customer.
This is a common pattern and works great as long as you ensure that a customer only can access his own receipt(s).
In some cases (like at PayMyTab) everybody can access each file in the S3 bucket as long as he knows the name of the file. This is an acceptable solution as long as the files have cryptic names that are impossible to gues.
If you receive an email containing a link ending with receipt-4711.pdf why not trying to access receipt-4712.pdf?
Data breach impact
As reported the receipt files contains the following details:
- Customer’s name
- Email address or cell telephone number
- Last 4 digits of the payment card number
- The meal items ordered
- The date, time, location, and the name of the restaurant visited
It is unclear if those data was already downloaded by other parties than vpnMentor.
So very likely those data are already shared between hackers and cybercriminals.
If you used PayMyTab between July 2nd 2018 and end of October 2019 we advise you to contact a lawyer to enforce your rights.