Slashdot Mirror
Education and Science Giant Elsevier Left Users' Passwords Exposed Online (vice.com)
The world's largest scientific publisher, Elsevier, left a server open to the public internet, exposing user email addresses and passwords. "The impacted users include people from universities and educational institutions from across the world," reports Motherboard. "It's not entirely clear how long the server was exposed or how many accounts were impacted, but it provided a rolling list of passwords as well as password reset links when a user requested to change their login credentials." From the report: "Most users are .edu [educational institute] accounts, either students or teachers," Mossab Hussein, chief security officer at cybersecurity company SpiderSilk who found the issue, told Motherboard in an online chat. "They could be using the same password for their emails, iCloud, etc." Motherboard verified the data exposure by asking Hussein to reset his own password to a specific phrase provided by Motherboard before hand. A few minutes later, the plain text password appeared on the exposed server. Elsevier secured the server after Motherboard approached the company for comment. Hussein also provided Elsevier with details of the security issue.
An Elsevier spokesperson told Motherboard in an emailed statement that "The issue has been remedied. We are still investigating how this happened, but it appears that a server was misconfigured due to human error. We have no indication that any data on the server has been misused. As a precautionary measure, we will also be informing our data protection authority, providing notice to individuals and taking appropriate steps to reset accounts."
An Elsevier spokesperson told Motherboard in an emailed statement that "The issue has been remedied. We are still investigating how this happened, but it appears that a server was misconfigured due to human error. We have no indication that any data on the server has been misused. As a precautionary measure, we will also be informing our data protection authority, providing notice to individuals and taking appropriate steps to reset accounts."
"Education and Science Giant"? You fucking whores. Try MASSIVE PURVEYOR OF SCIENTIFIC FRAUD next time, if you can find your spine and get it working.
"You're right," Fisheye says. "I should have set it on 'whip' or 'chop.'"
How can any company STILL not be hashing their user's passwords?
...that manages authentication and privacy information on their servers without knowing: a. they are using up-to-date software b. that they are actually deploying it correctly c. that they don't just go with the default settings It's akin to trusting an electronic voting system with proprietary code that you can't examine. And 3rd party audit of security practices is a joke.
It's not science at all, is a giant peddler of stolen goods that made a monopoly from public research.
Its 2019, why would anyone even be storing passwords in plaintext (or reversible encryption) instead of using password hashes?
From TFA: "The data itself was displayed via Kibana, a popular tool for visualizing and sorting data."
So this is yet another case of an unsecured ELK (Elasticsearch, Logstash, and Kibana) cluster sitting wide open on the public internet. Most likely an AWS managed ES cluster - which have lately become notorious for their terrible security. Terrible because AWS refuses to give a dime to the company that wrote the software and therefore gets no cooperation from them, yet is also too cheap to implement their own security layer.
I've been a reasonably satisfied user of AWS for many years. But I do not hesitate to call the AWS managed Elasticsearch offering a security nightmare. And a social affront to the open source community.
My company recently switched from AWS ES (with a home-rolled security layer) to Elastic Co's managed ES service. Dealing with Elastic's enterprise-y salescreatures is a real pain. But their managed ES service is simultaneously much better and (in some configurations) slightly cheaper than the AWS offering.