Security researchers at vpnMentor found a flaw in the Fieldwork software database. Noam Rotem and Ran Locar, cyber security researchers at vpnMentor, found and published a detailed report about the leak on their blog.
Fieldwork is a business management platform marketed towards the pest control, lawn care, pool cleaning, and other home service industries. Owned by Anstar, which produces pest control products, the software helps track employees who make house calls.
The researcher were able to discover this data leak using their extensive web-mapping project. They scanned ports for known IP blocks. From there, the team searched for openings in the system.
This leak included customer names, addresses, phone numbers, email address, alarm codes, signatures, client information, credit card details, photos, and other detailed comments. Most significantly, they found auto-login links that could give access to a user’s Fieldwork service portal.
This is a log for an email template about logging in to the Fieldwork portal. This piece of data included email addresses that are not publicly available for clients to see. Though the password isn’t given outright here, it left open the possibility of finding relevant information in other parts of the database.
According to Lisa, reporter at vpnMentor:
I personally think that the big story here is how your data can be leaking, not from your Amazon account, but rather from Joe your gardener, or Jason your pest control person. People don’t expect that, but nowadays, even if you get some small service provider to visit your home to get rid of the rats, they are using some company you’ve never heard of, that now has your data.
Many of the companies that use Fieldwork have public addresses, but this data also gives information about their clients that companies wouldn’t disclose to the public. It also provides the company’s license number.
The information leaked in the database included:
- Auto-login links
- Email addresses of users
- Email addresses of their customers
- Full names
- Phone numbers of customers
- GPS locations
- IP addresses
- Emails and texts sent to users or customers
- Billing details
- Full credit card details
- Filtered passwords
- Pictures of work sites
- Comments or instructions