Remine Shared Private Keys and Passwords Carelessly, and This Could Have Led to a Massive Data Breach

Security researchers have probably grown pretty tired of discovering and reporting databases that contain large volumes of sensitive information and can be accessed from anywhere without requiring authentication. It's an easy-to-avoid configuration mistake that appears to be extremely common, and sometimes, the potential consequences are severe. Real estate startup Remine managed to avoid this mistake. The company does host data on AWS servers and databases, for example, but it has protected it with a password. Despite this, Mossab Hussein from cybersecurity company spiderSilk discovered a way of accessing all that information. The researcher shared his findings with TechCrunch's Zack Whittaker, who gave us the full rundown.

Remine had a dangerous bug in its development environment

The problem lay not with the way Remine stores its data, but with its development environment. As some of you probably know, the development environment is the place where an online service provider tests, perfects, and debugs new features before releasing them to the public. Normally, only developers and employees would have access to a company's development platform, and in the case of Remine, opening it did indeed require authentication. Mossab Hussein found out, however, that people outside the company could easily create accounts and log in.

Remine developers were sharing credentials and were inadvertently exposing company data

There appears to be no evidence to suggest that someone managed to discover the authentication bug before Hussein, and we can only hope that he was indeed the first person to see it because the mistake would have given hackers access to a lot of sensitive information.

To confirm the bug, Hussein created an account, logged in, and saw unsuspecting Remine developers who were sharing passwords, private keys, and other login data and were unwittingly putting company and user data at risk. The mere fact that developers were freely exchanging login credentials with one another highlights a rather glaring imperfection in Remine's access control policy. This, coupled with the authentication bug, could have given attackers access to an enormous amount of sensitive information.

Two seemingly small mistakes could have resulted in a massive data breach

Some of the credentials that were freely exchanged inside Remine's development environment protected the company's AWS databases. Others would have given attackers access to the platform's Slack workplace. In other words, with the shared information, the cybercriminals would have been able to access a lot of data that should never be exposed.

Remine is very proud of the large volume of information it holds. Apparently, it stores details on about 150 million properties spread around most of the US, and when Hussein took a look at some of its storage servers, he found "a decade's worth of documents," which included rent agreements, addresses of buyers and sellers, and other data. Whittaker himself reviewed some of the files, and he saw quite a lot of personally identifiable information of people who have used Remine's services.

Exploiting the bug was not really that difficult, and the potential consequences were pretty massive. Thankfully, Remine's actions suggest that they realize how serious the situation was. After helping with the responsible disclosure of the problem, Whittaker talked to Jonathan Spinetto, Remine's co-founder and COO, who assured him that the correct steps have been taken. The authentication bug has been patched, and outside people can no longer access the company's development servers. The private keys and passwords that were inadvertently exposed by developers have been changed, and the company has engaged cybersecurity experts who will help with the investigation. Once the results are out, Remine intends to inform everyone involved in accordance with the applicable data breach notification laws.

As Zack Whittaker noted, Remine emerged from the whole thing relatively unharmed. The vulnerability discovery should be a lesson for everybody, though. It should teach us that even relatively small bugs can have major consequences and that protecting an online platform requires careful consideration of all the risks and close attention to detail.