With hundreds of thousands of sales every day,Gearbest is a highly successful Chinese e-commerce company.
The site sells a range of electronics and appliances, as well as clothing, accessories, and homeware.
While itsells some internationally-known brandslike OnePlus, most are smaller Chinese brands.
Gearbest has subdomains in 18 languages, generating global appeal.
Gearbest is owned by Chinese conglomerate, Globalegrow.
The companys runaway success is a triumph for Gearbest and its sister companies.
However, itsnot such great news for the sites customers.
vpnMentor can exclusively reveal thatGearbests database is completely unsecured as are those belonging to its sister companies.
Gearbests database isnt just unsecured.
Its also providing potentially malicious agents with a constantly-updated supply of fresh data.
The data viewed as a result of this hack reveals this to be untrue.
We saw lots of sensitive information - including email addresses and passwords - that was completely unencrypted.
For example, a shipping address is crucial to fulfilling orders.
An IP address is not.
This is particularly worrying given the current trend towards a more open and honest internet.
Gearbest’s shady practices do the opposite.
Gearbest seems to infringe on their own privacy policy.
However, this isnt the most significant risk to user privacy here.
User Safety
An open database filled with personal information can compromise users safety online.
The records we saw showfull sets of unencrypted data, including email addresses and passwords.
(Its worth noting that some email addresses contained some hashing.
Our hackers believe that it was a partially-implemented security measure that is simply not doing its job.)
The screenshot below shows snippets from two set of user data we harvested from the database.
We were able to get in to these two Gearbest accountsand operate them as if we were the users.
We could view current and past orders, accumulated Gearbest points, and change the account password and details.
However, this information could also be used in a far more sinister way.
By cross-referencing different databases,hackers could easily steal Gearbests customers identities.
Its similar to the Oxxo payment system used in Mexico.
Each voucher features a unique bar code; this gives users access to their money.
In the database we accessed, payments made using either of these methods include a URL for ebanx.
These links show the active vouchers used, complete with their cash amounts.
The data alsoincludes Oxxo and Boleto vouchers unique barcodes; this information allows hackers to act as users.
We could also access customer’s receipts, complete with their banking information.
Order Details: Sex Toy Scandal
Theexact content of peoples orders is visibleon the Orders database.
Compared to other information available across these unprotected databases, this doesnt seem particularly shocking.
However, thecontent of some peoples orders has proven very revealing and in some instances, even life-threatening.
Hidden in the Sales section of Gearbests Apparel category,users can find a vast array of sex toys.
The nature of the stores open database means the details of your private purchases could quickly become public knowledge.
For many adults across the world, purchasing sex toys is not problematic.
For example, the orders shown in the image below belong to people in Brazil and Greece.
These countries have very permissive laws regarding sexuality and homosexuality.
However, this is not the case everywhere.
While examining the database, we came across order information for a male Pakistani user.
Pakistan does not enjoy the same liberal attitude to sexuality that many Western countries take for granted.
The countrysstrict laws stipulate that adultery and pre-marital sex arecriminal offensespunishable by imprisonment and fines.
The countrys religious laws also allow for death by stoning or corporal punishment.
Its also worth noting that culturally, it is unlikely that buyer made this purchase for his buyers wife.
Were not malicious and are sharing this (highly censored) information tohighlight the dangers of this open database.
Others may have very different intentions.
In the Pakistani governments hands, this information could mean a literal death sentence for this user.
How Gearbest is Harming Itself
Gearbest is exposing millions of users data.
However,the company is also hurting itself.
The indices our hackers discovered arent just for their user databases.
They also included URL access to Gearbests and Globalegrows Kafka system.
Ethical Hacking
We discovered this breach as part of anethical hacking project.
They verified the databases owners bycreating, entering, and identifying data.
They discovered that Globalegrowsentire database is unprotected and mostly unencrypted.
The company uses an Elasticsearch database, which is ordinarily not designed for URL use.
Asethical hackers, we are obliged toreach out to websites when we discover security flaws.
Nonetheless, these ethics also entail aresponsibility to the public.
They had several days notice.
Unfortunately, our repeated attempts to ask these companies to step up and protect their users have been unsuccessful.
At the time of publication, we were yet to receive a response.
Past Reports
We recently revealed thatDalil experienced a massive data breach.
Dalil is Saudi Arabias largest phone directory app, and the breach affected more than 5 million users.
Pleaseshare this report on Facebookortweet it.
hey, comment on how to improve this article.
