Researchers had found that a Uniguest website (ucrew.uniguest.com) was publicly exposed on the internet.
The website appeared to contain all the tools that technicians would need to deploy or manage a kiosk at their locations.
Two serious flaws in Uniguest manufactured kiosk software can allow attackers to compromise users’ private details. This kiosk software is widely used by businesses in various sectors.
What’s the matter?
Researchers from Trustwave SpiderLabs had found that a Uniguest website (ucrew.uniguest.com) was publicly exposed on the internet. The website appeared to contain all the tools that technicians would need to deploy or manage a kiosk at their locations.
The website also contained an application called SystemSleuth, which could be downloaded by anyone accessing a Uniguest subdomain specifically meant for company’s technicians. This allowed the researchers to retrieve all the data dumped in the Uniguest cloud database, which included admin, router and BIOS passwords. The data also contained information about product keys and various other sensitive information related to Uniguest’s customers.
Where do the problems exist?
Trustwave researchers discovered that the publicly exposed ‘ucrew.uniguest.com’ website required no authentication for access. Furthermore, the SystemSleuth tool, which is written in C# could be easily decompiled to source code using dnSpy. SystemSleuth’s purpose is to collect asset information such as product keys, asset tags, passwords, and various other sensitive details and send them to a Salesforce API.
The second problem existed in the Salesforce API. The researchers revealed that the API is accessible via the SOAP protocol.
“The Salesforce API is accessible via the SOAP protocol, and we can use the open-source SoapUI tool to run some test queries. First, we need a session ID issued by aut ..
Support the originator by clicking the read the rest link below.
