14 DAY TRIAL // A leaky CouchDB database was fixed over the weekend, after it exposed internal security details for the Oklahoma Department of Public Safety buildings, and even from a branch of the Oklahoma-based Midfirst Bank.
MacKeeper security researcher Chris Vickery discovered the database on Saturday, July 9, 2016. The CouchDB server belonged to physical security firm Automation Integrated and allowed anyone access to its contents without requiring users to authenticate using a password.
Database contained details about locks and alarm systems
Vickery says the database contained details such as the make and model of various locks and alarm systems, the location where they were installed, warranty coverage, and if the system was functional.
The researcher even found images of various security systems such as locks, RFID access panels, controller boards, and others.
The researcher reported his findings to an Automation Integrated engineer via phone call and later also sent an email containing some of the photos as proof of his findings. Some of the photos are attached to this article courtesy of Mr. Vickery.
This is how companies should react to data leaks
The researcher was impressed with the company's response because, hours later, he received a phone call from Automation Integrated Vice-President, who personally thanked him for reporting the issue and kindly asked him to verify if the problem was still present.
The way Vickery was treated is in stark contrast to how uKnowKids dealt with his findings in late February, when he was accused of hacking the company, even if he only reported another similar leaky database.
Taking into account that some of the locks and alarm system details he discovered were located at police stations and banks, the situation could have escalated very easily and in the worst possible way.
"This is an example of excellent incident response," Vickery said. "What he did do was fix the issue promptly, verify with the original reporter that the issue was fixed, and he appreciated the fact that someone would go out of their way to make sure an issue like this was taken care of. [...] Companies make these mistakes all the time. I wish more of them would react as well as Automation Integrated did."
