Centova Cast High vulnerality

Centova Cast High vulnerality

Read 9663 times

psychopulpo

  • Newbie
  • *
  • Posts: 2
Logged

January 25, 2020, 03:45:54 pm

Centova Cast High vulnerality
It seems that centova has a fairly large vulnerability, not more than 1 week ago I installed this application, which worked correctly, until one day I find that I can not connect, this after contacting the support I realize that the _WARNING table created I had a message above it says the following.

|  1 | Hello,

I am a security researcher from Sweden,
having interest on web security and other focus areas.

Your MySQL server(version 5.7.29), database "centova"
was breached by a 3rd party and files were backed up to cloud storage.

I accidently discovered this dedicated cloud storage and was able to secure the fil                                                                                                                                                          es.

It is scheduled to be sold online.
The short-term consequences of this data leak could be fees, fines and frustration.

To prevent this i will remove all files from online storage above
and restore the database if needed.

        please send exactly 0.3 bitcoin (BTC) to the following
        bitcoin address: 1AuqCQa13niBYfjyjHWaE6QRMSxwD8Mwka

email me in about an hour after the payment,
and I email you back the link to download the original
dump file centova.sql.gz created with mysql mydumper.

radioparanormalium

  • Newbie
  • *
  • Posts: 24
Logged

January 29, 2020, 12:55:03 pm, #1

The issue may be related to the security of your database more than to Centova Cast itself.

Dr Bunsen

  • Full Member
  • ***
  • Posts: 162
    • Party Vibe Radio
Logged

February 05, 2020, 04:08:49 pm, #2

Quote from: psychopulpo on January 25, 2020, 03:45:54 pm
It seems that centova has a fairly large vulnerability, not more than 1 week ago I installed this application, which worked correctly, until one day I find that I can not connect, this after contacting the support I realize that the _WARNING table created I had a message above it says the following.

|  1 | Hello,

I am a security researcher from Sweden,
having interest on web security and other focus areas.

Your MySQL server(version 5.7.29), database "centova"
was breached by a 3rd party and files were backed up to cloud storage.

I accidently discovered this dedicated cloud storage and was able to secure the fil                                                                                                                                                          es.

It is scheduled to be sold online.
The short-term consequences of this data leak could be fees, fines and frustration.

To prevent this i will remove all files from online storage above
and restore the database if needed.

        please send exactly 0.3 bitcoin (BTC) to the following
        bitcoin address: 1AuqCQa13niBYfjyjHWaE6QRMSxwD8Mwka

email me in about an hour after the payment,
and I email you back the link to download the original
dump file centova.sql.gz created with mysql mydumper.

What version of CentovaCast we're you running at the time of the hack? A security fix went into the last release. Regardless I doubt the contents of your database would be of value to anyone at all... just my 2 cents.