Weight Watchers accidentally exposes internal IT infrastructure via unprotected Kubernetes server

Another day, another cloud storage misconfiguration breach. Security researchers discovered a server belonging to popular weight loss program Weight Watchers that contained sensitive data about the firm’s IT infrastructure was left completely exposed online without any password protections.

Weight Watchers has offices in 30 countries across the globe and is reportedly estimated to earn around $1.7 billion per year. The exposed data, , if accessed by malicious threat actors, could have potentially given them the ability to compromise the company’s systems.

The breach was discovered by Kromtech Security researchers who identified the server exposing the sensitive data as a Kubernetes server - an open-source container orchestration tool developed by Google. Kubernetes can operation thousands of containers simultaneously.

“This Kubernetes cluster was found on at least three IP’s with a kubelet port (10250) exposed, allowing access to all pod's specifications, including the AWS Access key (access key ID and secret access key) and several dozens S3 buckets,” Kromtech security researchers wrote in a blog.

The researchers stated that the Kubernetes servers exposed administor’s root access, keys for 102 domains, data of users with administrative credentials and more. However, it is still unclear what kind of data was exposed by the breach, how long it was exposed for online, and whether anyone else had also accessed the Kubernetes server.

Kromtech researcher Bob Diachenko told Bleeping Computer that they notified Weight Watchers about the data exposure afterwhich the company quickly fixed the issue.

“We really appreciate the community working to make us all safer. We have confirmed the issue - a security group for a test cluster in our non-production account was misconfigured during testing,” Weight Watchers responded to Kromtech. “The issue should be resolved and keys should be revoked. We’ve also implemented some safeguards to protect against this issue from recurrence.”

In a statement to Bleeping Computer, a Weight Watchers spokesperson said: "Last week, Weight Watchers received a report from security researchers related to the exposure of credentials in one non-production AWS account.The account was in a testing environment clearly labeled 'nonprod' and is used only to test new services and features."

Weight Watchers said that there is currently “no indication” that any personally identifiable information was exposed by the breach. The company is one in a long line of firms that have fallen victim to an inadvertent data breach due to misconfigured cloud servers. This year alone, Honda, Tesla and Universal suffered similar breaches, leading to exposure of sensitive data.

According to IBM X Force, data breaches related to misconfigured cloud infrastructure rose by 424% in 2017. IBM X Force researchers said misconfigured cloud servers were responsible for nearly 70% of all the records compromised in 2017 and that human error remains one of the weak links in security.

This trend of inadvertent data breaches seems to have spilled over to 2018 as well. However, organizations can avoid such breaches by incorporating some simple security measures, such as password protecting all administration interfaces. In the case of Kubernetes servers, it is imperative that stored containers are not run as root because containers running in root could provide complete system access to malicious entities.