A security report released by IT consultant Johan Pienaar claims accounting software firm Sage Pastel left customer data exposed on an FTP server used by its technical support department to assist clients when they encounter problems with its software.
Founded in 1989, Sage Pastel is a large South African developer of payroll, enterprise resource planning and accounting software for business. The company has more than 200 000 customers, many of which entrust it with sensitive and confidential financial information.
Speaking to TechCentral, Pienaar explains that his small and medium business consultancy, IT Lounge, has a number of clients using Sage Pastel. He recently became aware of the FTP flaw when he placed a support call to the company. He encountered a compatibility problem with one of Sage Pastel’s add-ons, to which the support team responded with a beta version of a patch to fix the issue.
The document sent to Pienaar from the support desk was an outdated Microsoft Word document last amended in 2009 according to the file’s meta data. “It was evident that the password has not been updated since 2009 and any information that was placed on the FTP server has been available for download to any user who, in the six years since, has received support requiring a download from Sage Pastel.”
When Pienaar logged onto the FTP server, he discovered that along with support files, such as the patch he needed, was accounting data for “20 or 30 companies”.
Some of this data was uploaded as recently as last week, he says. It was also not secured. “The data tables were not protected at all.”
Using a software tool, which is included with every copy of Sage Pastel, these database tables can be read, he adds. This method could also be used to reset customer passwords.
Watch a video Johan Pienaar put together explaining the vulnerability:
Sage Pastel MD Steven Cohen says 75% of the company’s clients are on service contracts that use a secure Dropbox-like service to host data when it is used for support purposes. “Those that are not on contract send us their data via FTP, to which we supply the login details.”
Cohen says the FTP server can only be accessed by Sage Pastel resellers who have been given a username and password to access the service. “Unfortunately, this site hosted other people’s data,” he says, adding that it was visible to another user logged into the FTP server. “At any one time, there are probably 20 sets of data hosted on this server.”
Sage Pastel has since shut down the FTP site and in future will host all of the support data via a secure website.
Although Cohen says it is illegal to access other customers’ data on the FTP server, he agrees that it was an oversight by the company not employ more secure means.
“We have been working with Microsoft over the last two months on the Azure cloud platform where we want to start hosting our data because that would be more secure.” — © 2014 NewsCentral Media
