Redis (Remote Dictionary Server) is a BSD license-based open-source project developed by Salvatore Sanfilippo in 2009 that queries data with Key through a Key-Value Store database. Since Redis is a memory-based DBMS, it operates at a faster speed than regular disk storage databases. It is a preferable option to alternatives because it can support various data types such as Hashes, List, and Set. Typically, it is used to store Result Cache and data in systems that have to process large amounts of messages in real time, such as Facebook, Instagram and Tumblr. In addition, it is used as a repository in systems for small services and fast response processing.
Data Breach Possibility From Exposed Redis Commander
Redis Commander is a Node.js web application used to manage databases stored on Redis servers. As a GUI tool that enhances usage through auto completion and document input/output functions, all Redis data types can be edited on a web-based basis. However, this means that Redis Commander can become a remote data grab tool for malicious means, especially when exposed to the wide web without authentication means.
This is due to the nature of Redis database and its commander, which means that in case of a breach, all control of its databases can be granted to unauthorized users. This can lead to serious data breaches.
How to Find Redis Commander Servers Through the Favicon Filter
Criminal IP’s favicon filter allows users to search for a Favicon hash on a website while querying the IP address. Using this feature to search for a Favicon hash of Redis Commander yielded 211 IP addresses in total.
- Related Article(s) : Favicon-Hash, a Tool to Find Spoofed Domains
Accessing one of these Redis Commander server results will connect users to the actual server page for this service. Some servers here reveal sensitive data such as token value of certain users, login cookies etc. that can be queried without the need for authentication processes.
How to Find Redis Commander Servers Through the Title Filter
It’s also possible to find Redis Commander server IPs using the title filter. Criminal IP’s title filter shows IP addresses with Metatag that matches with the keywords inputted.
Searching for “title: Redis Commander” in the Criminal IP Asset Search determines the IP addresses using a total of 384 Redis Commander servers.
This website also includes a page where users can view data updates stored as hash values — all of them without authentication.
When Redis Commander servers are left unattended and vulnerable, this indicates that these databases can be controlled by unauthorized users. Among the various types of Redis data, page cookies and user login credentials are most often leaked as seen in the case above. If a malicious hacker intercepts admin cookie information, they can use this maliciously and access administrator permissions of that Redis commander page.
Neglected Redis Commander servers, therefore, can be the root cause of serious data leaks and hacking incidents. For more information about this issue, see API Key, a Key to Credential Leakage & Manipulation.
Open-source services are popular because they are easily accessible due to low cost and low skill barriers. However, the disadvantage in that primarily comes from its benefits—due to the relatively open nature of the program, it is vulnerable to malicious hacker attacks, especially if proper management and inspections are not carried out. Redis Commander servers, therefore, require special attentions from server administrators as well as periodic security checks on corporate attack surfaces.
Read more about a related, in-depth coverage on Vulnerable Jenkins Servers.
Source : Criminal IP (https://www.criminalip.io)
Related Article(s) : https://blog.criminalip.io/2022/07/20/api-key-leak/