Researcher Chris Vickery said he uncovered four IP addresses that took him straight to a MongoDB database, containing a range of personal information, including names, email addresses, usernames, password hashes, phone numbers, IP addresses, system information, as well as software licenses and activation codes. All Vickery had to do was look for openly accessible MongoDB databases on the Shodan search tool.
There’s another apparent security issue: the passwords were protected with a know-to-be-broken “hashing” algorithm. These algorithms take the plain text password and turn it into garbled letters and digits, using a one-way mathematical formula. If it’s easy to guess how they did so, passwords can be recovered. According to Vickery, it appeared MacKeeper was using MD5 – long-known to be weak. There are a large number of MD5 cracking tools, all of which can figure out the weaker passwords (e.g. ’123456′ or ‘password1′) in seconds. He said there was no “salt” either, which would add random characters to the password before it’s garbled by the hash algorithm, making cracking more difficult.
The company admitted to FORBES it was using MD5 but was in the process of upgrading to SHA512 . It will be resetting passwords too, but said the decision wasn’t connected to the leak, though it has spurred the company on to make changes.
Vickery said he attempted to disclose the problem to Kromtech, the owner of MacKeeper, over the phone yesterday evening, but was initially unable to get through. After he posted about the issues on Reddit, the company responded, dealing with the disclosure over email in an amicable manner. Within hours of learning of its error, MacKeeper said it had fixed the problem, thanking Vickery.
“Analysis of our data storage system shows only one individual gained access performed by the security researcher himself. We have been in communication with Chris and he has not shared or used the data inappropriately,” the MacKeeper team wrote in a blog post.
Though it seems no malicious hackers were able to find the glaring vulnerabilities, and it’s promised to do more to protect customers, MacKeeper might not be so lucky in the future.