Slashdot Mirror

← Back to Stories (view on slashdot.org)

Education and Science Giant Elsevier Left Users' Passwords Exposed Online (vice.com)

Posted by BeauHD on from the out-in-the-open dept.

The world's largest scientific publisher, Elsevier, left a server open to the public internet, exposing user email addresses and passwords. "The impacted users include people from universities and educational institutions from across the world," reports Motherboard. "It's not entirely clear how long the server was exposed or how many accounts were impacted, but it provided a rolling list of passwords as well as password reset links when a user requested to change their login credentials." From the report: "Most users are .edu [educational institute] accounts, either students or teachers," Mossab Hussein, chief security officer at cybersecurity company SpiderSilk who found the issue, told Motherboard in an online chat. "They could be using the same password for their emails, iCloud, etc." Motherboard verified the data exposure by asking Hussein to reset his own password to a specific phrase provided by Motherboard before hand. A few minutes later, the plain text password appeared on the exposed server. Elsevier secured the server after Motherboard approached the company for comment. Hussein also provided Elsevier with details of the security issue.

An Elsevier spokesperson told Motherboard in an emailed statement that "The issue has been remedied. We are still investigating how this happened, but it appears that a server was misconfigured due to human error. We have no indication that any data on the server has been misused. As a precautionary measure, we will also be informing our data protection authority, providing notice to individuals and taking appropriate steps to reset accounts."

43 comments

  1. Small wonder by nospam007 · · Score: 1

    They suck!

    1. Re:Small wonder by antdude · · Score: 1

      Hey! Small Wonder was rad(ical).

      --
      Ant(Dude) @ Quality Foraged Links (AQFL.net) & The Ant Farm (antfarm.ma.cx / antfarm.home.dhs.org).
  2. "The hacker blinded me with science!" by Tablizer · · Score: 1

    https://www.youtube.com/watch?...

    --
    Table-ized A.I.
  3. So what did you expect after by Anonymous Coward · · Score: 0

    giving them 10s of k$ (At least) - they can easily support you and tons of fake users with only a few paying suckers like you.

  4. "Education and Science Giant"? by drinkypoo · · Score: 2, Informative

    "Education and Science Giant"? You fucking whores. Try MASSIVE PURVEYOR OF SCIENTIFIC FRAUD next time, if you can find your spine and get it working.

    --
    "You're right," Fisheye says. "I should have set it on 'whip' or 'chop.'"
  5. Passwords still not hashed??? by blahbooboo · · Score: 4, Interesting

    How can any company STILL not be hashing their user's passwords?

    1. Re:Passwords still not hashed??? by goombah99 · · Score: 1

      Came here to say the same thing. Why would anyone store passwords???? Isn't that just too well known that you store hashes?

      Is there some common CMS that does it that way or something?

      --
      Some drink at the fountain of knowledge. Others just gargle.
    2. Re:Passwords still not hashed??? by 110010001000 · · Score: 1

      they probably just store it all in Oracle or mysql.

    3. Re:Passwords still not hashed??? by Anonymous Coward · · Score: 0

      The ones that keep shrinking their workers base to increase profits reports?

    4. Re:Passwords still not hashed??? by Anonymous Coward · · Score: 0

      Let's be honest. When you use a password at a website, you need to assume that somewhere between the process of you typing in your password and your password being hashed on the server there is someone listening and logging your password. This is especially true now everyone uses 3rd parties for hosting.
      If it makes you feel better to know that the server you just logged into is hashing your password, your're not thinking about it right.
      If someone has managed to hack into a database on a server to acquire the passwords then they already own your data.

    5. Re:Passwords still not hashed??? by Solandri · · Score: 1

      Because some manager saved the company some money by having his high school nephew who's "really good at computers" write the password authentication program, instead of hiring a real programmer.

    6. Re:Passwords still not hashed??? by ls671 · · Score: 1

      they probably just store it all in Oracle or mysql.

      That's what I do most of the time and it doesn't prevent me from hashing and salting so I am not sure that I understand your point.

      --
      Everything I write is lies, read between the lines.
    7. Re:Passwords still not hashed??? by ceoyoyo · · Score: 1

      Because getting hacked works like it does on TV... some kid in a hoodie types really fast, and there's nothing you can do unless you have another kid in a hoodie to type back.

      Hashing passwords? Is that some kind of drug thing?

    8. Re:Passwords still not hashed??? by michelcolman · · Score: 1

      I thought LinkedIn was unbelievably negligent when they were not using salt. But Elsevier doesn't even hash?!?! What is this, 1980?

  6. How can you trust anyone... by george14215 · · Score: 2

    ...that manages authentication and privacy information on their servers without knowing: a. they are using up-to-date software b. that they are actually deploying it correctly c. that they don't just go with the default settings It's akin to trusting an electronic voting system with proprietary code that you can't examine. And 3rd party audit of security practices is a joke.

    1. Re:How can you trust anyone... by iggymanz · · Score: 1

      lolz you're talking about a place that stores passwords in plain text, they're morons. forget about your advanced concepts being something actionable by them.

    2. Re:How can you trust anyone... by Anonymous Coward · · Score: 0

      Aren't you the complete moron that doesn't think telepresence hospital robots are actually robots? You think there's a little man inside, lol. Moron iggy lol.

    3. Re:How can you trust anyone... by Cmdln+Daco · · Score: 1

      Get a new hobby. Your trolls are mediocre.

    4. Re:How can you trust anyone... by iggymanz · · Score: 1

      oh you think storing passwords in readable form is fine, and saying that's bad is trolling?

      You are the one who is less than mediocre at certain things

    5. Re:How can you trust anyone... by iggymanz · · Score: 1

      oops, sorry, slashdot suppressed troll and showed you post as reply to me

  7. who cares about server config that made it public by Anonymous Coward · · Score: 0

    It's the storing passwords in plain text that's the issue!

  8. Logging by k2r · · Score: 1

    IIRC I’ve seen passwords in transcripts of HTTP authentication logged into a big retailers Splunk. It was fixed days after mentioning it.
    I guess this was similar with Elsevier‘s Kibana, with the addition of no “user accounts” and “publicly accessible”

    I prefer the password management of sci-hub,

  9. Elsevier is not a science giant... by Anonymous Coward · · Score: 3, Insightful

    It's not science at all, is a giant peddler of stolen goods that made a monopoly from public research.

  10. Shouldn't Slashdot Denizens Be Cheering? by Cmdln+Daco · · Score: 1

    This sounds like a mecca of open and free scientific documents.

    1. Re:Shouldn't Slashdot Denizens Be Cheering? by bill_mcgonigle · · Score: 1

      Cheering that some dumbass disclosed it instead of helping out the folks at https://sci-hub.tw/ ?

      No, this is a loss for citizen scientists everywhere.

      --
      My God, it's Full of Source!
      OUTSIDE_IP=$(dig +short my.ip @outsideip.net)
  11. Open Science by Anonymous Coward · · Score: 1

    Well at least they tried open science for a while. How do we get them to do that permanently?

  12. Shaddap doppelganger faggot account by Anonymous Coward · · Score: 0

    Go suck a poorly-duplicated cock, doppelfag

  13. Exposed Passwords by Anonymous Coward · · Score: 0

    Explain to me, again, how they kept passwords in clear text?

    1. Re:Exposed Passwords by Anonymous Coward · · Score: 0

      RELX: Hello. Elsevier service desk. Joey speaking. How can I help you?
      Dolt: Oh, hi. I forgot the password to my account.
      R: Man, that sucks. Let's take care of that for you. *clicky-click* Ok. What is your mother's maiden name?
      D: Dumont
      R: Good. What was the street of your childhood address?
      D: Oak Street
      R: Great. I have your password here. Do you have a pencil handy?
      D: Yup
      R: OK. It's k - a - r - e - n - capital W - at sign - n - t - five - m - y - capital D
      D: Oh yeah, thanks! I'm in!
      R: You're very welcome. Glad I could help. Is there anything else?
      D: Nope. I'm all set!
      R: Great! Have a nice day!
      D: Bye!

  14. Well, and arxiv and by Mr.+Dollar+Ton · · Score: 1

    Library Genesis don't need passwords, so not really possible to "expose" them.

    1. Re:Well, and arxiv and by Anonymous Coward · · Score: 0

      You need an Arxiv account to upload papers on it.

    2. Re:Well, and arxiv and by Mr.+Dollar+Ton · · Score: 1

      Naturally, but let's compare apples to apples. The leaked passwords for Elsevier aren't of authors, but of readers.

  15. Why even store passwords? by jonwil · · Score: 2

    Its 2019, why would anyone even be storing passwords in plaintext (or reversible encryption) instead of using password hashes?

  16. another unsecured ELK cluster by astrofurter · · Score: 2

    From TFA: "The data itself was displayed via Kibana, a popular tool for visualizing and sorting data."

    So this is yet another case of an unsecured ELK (Elasticsearch, Logstash, and Kibana) cluster sitting wide open on the public internet. Most likely an AWS managed ES cluster - which have lately become notorious for their terrible security. Terrible because AWS refuses to give a dime to the company that wrote the software and therefore gets no cooperation from them, yet is also too cheap to implement their own security layer.

    I've been a reasonably satisfied user of AWS for many years. But I do not hesitate to call the AWS managed Elasticsearch offering a security nightmare. And a social affront to the open source community.

    My company recently switched from AWS ES (with a home-rolled security layer) to Elastic Co's managed ES service. Dealing with Elastic's enterprise-y salescreatures is a real pain. But their managed ES service is simultaneously much better and (in some configurations) slightly cheaper than the AWS offering.

    1. Re:another unsecured ELK cluster by phantomfive · · Score: 2

      There is absolutely zero reason to have any database on the open internet. "nmap $hostname$" today, make sure your IPs are not exposing things they shouldn't.

      --
      "First they came for the slanderers and i said nothing."
    2. Re: another unsecured ELK cluster by astrofurter · · Score: 1

      In AWS ES default configuration, any IP that can reach Kibana - the web UI often used by business analysts to explore the data - also has access to ES on its JSON/HTTP API.

      That's why AWS ES clusters are so often left wide open. So the business users can access Kibana from wherever. They hope for security by obscurity. No one outside the company knows the URL, so it's "secure".

      By itself, AWS ES does not offer any reasonable way to grant access to Kibana without also granting access to ES API. And it provides no means of user authentication. Access is all or nothing.

      This defect can be mitigated with a proxy that provides authentication and URL filtering. That provides a big improvement; but it's still far from ideal.

    3. Re: another unsecured ELK cluster by phantomfive · · Score: 1

      This defect can be mitigated with a proxy that provides authentication and URL filtering.

      I strongly suggest setting up a VPN, there are several free packages and it shouldn't take more than a day to set up.

      --
      "First they came for the slanderers and i said nothing."
    4. Re:another unsecured ELK cluster by Anonymous Coward · · Score: 0

      Any reason you didn't use Cognito to secure AWS ES?

  17. Generous! by Anonymous Coward · · Score: 0

    Now if they were as generous with their hijacked scientific content, we'd be happy!

  18. Finally Open Access :) by Poorcku · · Score: 1

    there, it says it all

    --
    I take my children to see Madonna(..), but I never for once ever thought I was in the same business.Chris Rea.
  19. So what? by Anonymous Coward · · Score: 0

    It probably won't cost them anything and nobody will got to prison...

  20. Ditto --- great comments! by sgt_doom · · Score: 1

    Their American subsidiary purchased my company and immediately offshored all our jobs - - que sera, sera!

  21. Lawsuit by Anonymous Coward · · Score: 0

    Time for a lawsuit