Thousands Of Users’ Data Exposed By FormGet Security Flaw

Thousands Of Formget Users’ Data Exposed

A security researcher reached out to a news outlet about a massive security flaw at Formget, a company based in Bhopal, India that provides email marketing and online form creation.

The researcher realized that Formget had an exposed Amazon S3 storage bucket, and contacted the outlet in hopes of getting Formget to secure the data.

The news outlet reached out to the company on Wednesday (July 24), and the exposed information was taken offline overnight. However, the company’s Founder Neeraj Agarwal did not respond to repeated emails asking for a comment.

The exposed storage bucket was full of sensitive documents and files numbering in the thousands. It had a folder for each year dating back to 2013, along with sub-folders by month, full of user documents.

There were scans of passports, paychecks, Social Security numbers, identity cards and drivers’ licenses, as well as letters from Veterans Affairs that certified former veterans for disability payments and detailed how much they were paid. The bucket also had detailed mortgage and loan information, bank statements and bills, proof of residency and active duty forms, all with easily viewable personal information.

Also included in the data were internal corporate documents marked “confidential” or with the label “internal use only.” Also found were UPS shipping labels, which had names and phone numbers as well as shipping contents. Additionally, there were resumes with addresses, education and job histories; invoices for billed services from companies like Google and Formget; and airline and hotel receipts.

Private data inadvertently becoming public has been a continuing problem in the past few years, sometimes due to changing servers or server permissions. Many companies blame human error, but one senior cloud security engineer said it is not that easy to accidentally expose data.

“In the case of Amazon, the default settings on an S3 bucket are private – no direct unauthorized internet access is allowed,” the engineer said. “When there are these reports in the news of massive leaks, it’s getting harder to point the blame at the cloud provider. On any installation in the past several years, developers have to go out of their way to expose these records. Once an organization leaks data in a grossly negligent way like this, they have little to blame but themselves.”