The CyberNews research team uncovered an unsecured Amazon Simple Storage Service bucket of confidential user chat logs belonging to Real estate app Tellus, a US-based software company.
Tellus is a software company based in Palo Alto, California, backed by “well-known investors” that aims to “reimagine Real Estate for the modern era.” The company’s app portfolio includes the Tellus App, a real estate loan, management and investing program. Its target users are American landlords and tenants who can receive and pay rent money, as well as keep all of their ownership and rent related data like rental listings, personal information, and correspondence between tenants and landlords in one place.
The data bucket in question contains a folder with 6,729 CSV files related to the Tellus app that include the app’s user records, chat logs, and transaction records left on a publicly accessible Amazon storage server.
We discovered the exposed data by scanning through open Amazon Simple Storage Service (S3) buckets, which are online servers that can be used to store data for websites, apps, archives, IoT devices, and more.
Amazon S3 buckets are also known for being challenging to secure, leaving many servers unprotected – and often in the news.
We identified Tellus as the owner of the database and notified the company about the leak. As of May 15, the data bucket security issue has been fixed by the Tellus security team and the data is no longer accessible.
The unsecured and unencrypted Amazon S3 bucket contains, among other things:
All of this data is conveniently stored in spreadsheet format that can be easily opened, read, and downloaded by anyone who knows what to look for.
The exposed user records contain:
Example of leaked user records:
The private messages in the chat logs and tenant lead files contain not only the texts of the conversations themselves, but also deeply sensitive content attached therein, including:
Example of leaked private messages:
Example of leaked tenant lead messages:
Example of leaked transaction records:
This means that, in the worst-case scenario, leaving the Tellus S3 bucket unsecured and unencrypted might have led to the continued exposure of data belonging to the entire Tellus user base over a period of up to two years, from 2018 to 2020.
The exposed data was hosted on an Amazon Simple Storage Service (S3) server and located in the US. It is currently unknown for how long the data was left unprotected, and we assume that anyone who knew what to look for could have accessed the data bucket without needing any kind of authentication during the unspecified exposure period.
With that said, it is unclear if any malicious actors have accessed the unsecured data bucket until it was closed by Tellus.
While numbers-wise this might not appear like a major leak, the impact on the nearly 17,000 Americans whose records were exposed could be significant if certain data was made publicly available.
Here’s how attackers might use the information found in the Tellus S3 bucket against the exposed users:
Original post available on Cybernews:
About the author Edvardas Mikalauskas
Edvardas Mikalauskas is a writer for CyberNews.com. Ed’s interests include all things tech and cybersecurity. You can reach him via email or find him on Twitter giggling at jokes posted by parody accounts.
(SecurityAffairs – Real estate app leaking, hacking)