Chaos Computer Club received German restaurant visitors through leak corona list
Members of the German Chaos Computer Club managed to access an online service that restaurants used to store visitor information in order to contact them in case of corona infection.
In total, Chaos Computer Club members were given access to 87,313 corona contacts from 180 restaurants using the system. That system belongs to the company Gastronovi and restaurants can also keep track of reservations, orders and checkout transactions. The vulnerability also allowed the hackers to view 5.4 million reservations, which involved 4.8 million customer data. It concerned data from the past ten years.
The researchers claim to have obtained access to all data stored in the cloud system ‘in the blink of an eye’ with full administrative rights. They also found other errors in the API, which, for example, allowed restaurant A to view restaurant B’s corona data. In addition, stored passwords were partly unencrypted.
During a restaurant visit, members of the Chaos Emergency Response Team became suspicious when they had to submit their data for the corona list and were assured that it would be stored securely with a cloud service. Gastronovi confirmed after the CCC’s report that there was a vulnerability and closed it.
The service refers to restaurants to delete old data, but according to the CCC they seemed to assume that responsibility lay with Gastronovi. The club calls the goal of being able to quickly inform restaurant visitors in case of corona infections as legitimate and important, but does not recommend the use of cloud services. “The sensitive data will not end up in the restaurant, but in a big pile somewhere on the internet, where they will wait for interested hackers in the coming years,” said a spokesman for the CCC. Restaurants should switch to paper lists, according to the club.