Last month, Hack Hex received an email from security researcher at vpnMentor about XSocialMedia flaw which could have led to a potential breach of information.
Security researchers at vpnMentor; Noam Rotem and Ran Locar, discovered multiple vulnerabilities in databases operated by xSocialMedia. They were able to access xSocialMedia’s invoices, customer data, and exact numbers from their advertising campaigns for injury-check.com
xSocialMedia is a Facebook marketing agency that focuses on running campaigns for medical malpractice lawsuits. According to their website, they create Facebook ad campaigns for 230+ clients. Their ads have generated over 16,000 leads.
According to the researchers, they were able to access the following data from the vulnerability:
- First and last name
- Email address
- Street address
- Phone number
- IP address
- Circumstances of the injury
- Explanation about the injury
All of the entries were tagged with “xsocial_submission_id”, which demonstrated that these form submissions were sent by those who clicked on one of the Facebook ads.
Not only xSocialMedia leaked private data, their database also leaked their own bank account information in invoice records they sent to clients, according to the researchers.
We could also see their clients’ names addresses, phone numbers, and email addresses. Much of this is public information, but the specific amount each company is paying xSocialMedia, wouldn’t otherwise be disclosed.
Luckily the researchers were able to contact xSocialMedia team about the vulnerabilities and are now fixed.
Timeline of Discovery and Reaction
- June 2: We discovered the leak in xSocialMedia’s database
- June 3: Linked the breach back to xSocialMedia
- June 5: We contacted xSocialMedia about the breach
- June 11: We contacted xSocialMedia a second time
- June 11: xSocialMedia responded
- June 11: The database was closed