Weight Watchers Leaves Server Unprotected- Exposes Internal IT Infrastructure

server down.JPG

This is the kind of breaking news that unfortunately is becoming "old hat." Another corporate giant exposed because of bad business practices in the IT realm. A critical server for Weight Watchers was left unprotected, allowing researchers to take a bite out of dozens of exposed S3 buckets containing company data and AWS access keys.

Researchers said that they discovered a Weight Watchers administration console earlier this month that was accessible over the Internet – without any password protection. (This makes us actually cringe in the IT world.)

Weight Watchers has confirmed that no customer data was impacted. However, the danger of the exposure is the availability of the root administration keys online that could have opened many doors for malicious cyber-terrorists.

The researchers said the open console was Kubernetes, an open-source container orchestration tool developed by Google, that automates the deployment and monitoring of application containers. Researchers said there was no password set for the Kubernetes cluster, which was found on at least three IP addresses with a kubelet port (specifically, port 10250) exposed.

That allowed access to all of the organization's specifications, including the AWS access key (access key ID and secret access key) and several dozens of S3 buckets with company data, the researchers said. Overall, there were 31 users, including a user with root and administrative credentials and applications with programmatic access,  impacted.

Systems that are public should never be without heavily protected passwords. By not properly protecting the administration console, Weight Watchers provided all the keys and information needed to gain access to their entire system. 

We always suggest that companies protect their administration interfaces via an array of measures, including restricting port ranges at the firewall and forcing access only via secure sockets. There needs to be a layered security approach to be truly effective. This should always be done, even if it's strictly an internal network because threats are always out there.

This is just another example of a corporate giant with a massive IT budget letting things slip because of poor practices. Small businesses need to keep this in mind. Without the budget for IT support, you must always be proactive and trust your IT help to keep you protected. 

For more information on protecting your small business with a small business budget, read on: