IPVM discovered a massive data leak in Ajcloud's Gitlab open-source development platform. When we notified the company, they asked us to hide their name in IPVM reporting.
Executive Summary
IPVM discovered a cybersecurity leak in gitlab.ajcloud.net, allowing an attacker to gain unauthenticated access to server source code, RSA private keys, certificates, AWS/Alicloud secret keys, and SMTP usernames/passwords. After we notified them, Ajcloud fixed it and then asked us repeatedly to hide their company name in our reporting.
For full technical details see IPVM Research Report: Amazon's Top Selling IP Camera Wansview - Cyber Security Tested and Amazon's Top Selling IP Camera Wansview Tested
We estimate at least 1 million cameras are managed and controlled by AJCloud, most notably Wansview, who is a top seller on Amazon for IP cameras, having 50,000+ total product reviews.
Data Leak Risk Overview
Ajcloud was allowing unauthenticated access to the public likely for years. Google first indexed gitlab.ajcloud.net in 2017 though we could not determine,
The danger of the leak is that it exposed fundamental server-side source code that left Ajcloud and its customers vulnerable to multiple levels of attack. Below is a redacted example of what was publicly leaked:
With access to the server-side source code, the attacker can analyze the source code for vulnerabilities and then exploit found vulnerabilities to gain unauthorized access to the affected systems.
With access to AWS and Alicloud secret keys, an attacker could gain Administrator access to Ajcloud's surveillance and smart home customers (e.g. Wansview, Philips, Faleemi, etc), and potentially gain access to sensitive data such as user data (username, password, connected devices), change configurations or even create additional unauthorized accounts.
Exposed RSA private keys and certificates meant attackers could decrypt and encrypt sensitive data or communications, sign malicious code, and pretend to be a legitimate server, which could lead to further compromise or man-in-the-middle attacks.
Also, attackers were able to obtain SMTP usernames and passwords, allowing them to gain unauthorized access to Ajcloud mail servers, send malicious spam or phishing emails, and may intercept sensitive email communications (e.g. banking, identity details, etc.).
Ajcloud Notified / Initial Response
IPVM notified Ajcloud and Wansview of the vulnerability on May 1, 2023, AjCloud responded 2 days later, confirming the issue and that they fixed the leak:
Dear Bashis and IPVM team,
I am writing to express my gratitude for your team's recent notification of a security vulnerability in one of our services. Your prompt and thorough attention to this issue has helped us to take immediate action and protect our data.
I want to assure you that we take security issues very seriously and have already taken steps to address this issue. We have conducted a thorough review of our systems and have implemented additional measures to ensure the safety and security of our data.
We appreciate your expertise and ongoing efforts to make the internet a safer place for all. Please let us know if you have any additional suggestions or advice regarding security best practices.
Thank you again for bringing this matter to our attention.
Sincerely,
Ajcloud team
Ajcloud Asked IPVM Not To Disclose Details
When Ajcloud was notified that we would be publishing details of the leak in a report, they asked us not to dislose details of the vulnerability:
Thank you for your prompt response to my previous email. I appreciate your understanding and willingness to help with the security issue we reported.
However, I would like to kindly request that you do not disclose the specific details of the vulnerability in your upcoming IPVM report. While we have addressed the issue promptly, we would prefer to keep the details of the vulnerability private for the time being. [Emphasis Added]
I hope you understand our concerns and can comply with our request. Thank you for your cooperation and continued support.
While companies want to keep vulnerabilities private (see Critical Vulnerabilities In Hikvision Hik-Connect, Hikvision Hides From Public), this lack of transparency is unethical, as long as there is a responsible disclosure from the party that discovers the vulnerability.
Not Reporting to 3rd Parties
2 days later, when informed that IPVM would be publishing specific details about the leak, Ajcloud notified IPVM that they had not reported the leak to "any other third party":
Thank you for getting back to me. We understand your intention to release the report and we appreciate your efforts to help improve our security measures.
Regarding your question, we have not reported this vulnerability to any other third party at this time. However, please rest assured that we will ensure that this mistake will not be exploited by anyone else. [Emphasis Added]
"Work Together", Not Name Ajcloud?
Further, in the same email, Ajcloud offered to "work together" to acknowledge the leak, but again, not to name Ajcloud:
While we appreciate your help in identifying and resolving the security issue, we kindly request that you do not disclose the specific details of the mistake that was found. We believe that such disclosure may have a negative impact on our business partners and customers.
May I ask who the primary audience of the upcoming report will be? This information would be helpful for us to better understand the report's scope and reach. We are open to discussing how we can work together to acknowledge your findings while also protecting the interests of our business. Perhaps it would be possible to disclose the nature of the issue without explicitly naming our company?
Thank you for your consideration, and please let me know if there are any further details that you require. [Emphasis Added]
2 More Requests To Hide Company
Ajcloud requested in 2 additional emails requesting that IPVM hide details that would identify Ajcloud:
We kindly request that you proceed with your report, but can hide some details of our company, such as company name, etc. If you have any additional questions or require further information from us, please let us know, and we will be glad to assist.
Your findings are meaningful, and we do not oppose including them in your report. However, we kindly suggest that, in order to protect our company's interests, you consider omitting specific details that could directly identify our company. This request is made in good faith and does not diminish the significance of your work. [Emphasis Added]
IPVM declined Ajcloud's offers to hide details or work with Ajcloud by not disclosing the leak.
The last contact IPVM had with AjCloud was on May 8, 2023, and today, the day after the report was published, we received the email below to which we responded that we do not accept donations and generally recommend donations to The Linux Foundation.
Sadly, one of my first thoughts was, "That's not so bad. At least they didn't threaten to sue you."
