Digital Distribution Platform Exposed Registration Details of Its Clients

Viewlift, a digital distribution platform, have been exposing data of its clients for several weeks back in November-December 2018, or maybe even earlier. 

According to Shodan historial data, Elasticsearch in question was indexed (hence publicly available, no password/authorization) for several months in 2018:

80/tcp Elastic (5.3.2) (2018-12-04)

80/tcp Elastic (5.3.2) (2018-11-29)

80/tcp Elastic (5.3.2) (2018-04-11)

According to their site, “ViewLift is a full-service digital content distribution platform empowering media companies, sports leagues and teams, education providers and others to monetize their content through native branded apps on major OTT devices including web, mobile, TV- connected devices, Smart TVs, and gaming consoles.

“ViewLift clients include NBCU; TEGNA; Monumental Sports Network; The Great Courses; Lax Sports Network; Major League Lacrosse; Arena Football League; the five owned-and-operated channels of SnagFilms; and others.

Exposed Elasticsearch cluster contained more than 5 Million records with users registration data. List of clients included:

  • The Blaze
  • SnagFilms
  • Arena Football
  • Lax Sports Network
  • NeoUFitness
  • HoiChoiTV
  • Pet Collective and others.

 

In most records, users registration data was limited to country, email, name, links to social media hosted avatars and IPs from which users were registering.

Company did not respond to numerous responsible disclosures emails sent back in December last year, but after a couple of weeks since initial discovery database has been taken offline and no longer available.

 

About the Author

Bob Diachenko
I'm Bob Diachenko, I am Cyber Threat Intelligence Director and journalist at SecurityDiscovery.com. My goal is to help to protect data on the Internet by identifying data leaks and following responsible disclosure policies. Our mission is to make the cyber world safer by educating businesses and communities worldwide. Many of my discoveries have been covered in major news and technology media, earning myself a reputation as one of the reputable data security analytics. Contact me: bob(at)securitydiscovery.com