New Zealand Companys ImpossibletoHack Security Turns Out to Be No Security at All

pThe company sent an initial incident response to their clients You can read my update about it belowppppppBeautifully Designed Easy to UseppComprehensive Software Solution for implementation maintenance of ISO Standards and other Compliance Requirements such as HS Quality Environmental Food Safety Information Security and many more according to their websiteppFor those curious about what the company offers you can check httpsteammateappcomfeatures a special mention to the feature belowppAnother good page to understand the claimed security of Teammate App can be read here httpsteammateappcomsecuritypolicyppOn February 11th 2025 I was looking at some servers running exposed databases publicly and noticed a server with almost 200 tables exposed that contained some interesting namesppAfter a quick look I wasnt exactly sure who was responsible for the server I was looking at and I was busy with other things so I flagged it to check later and a couple days later I took a better look and through DNS records and data on the exposed tables I confirmed it belonged to httpsteammateappcom and it was one of their live databasesppI checked my logs to see when was the first time I had this flagged as exposed and the first result was from December 3rd 2024ppOn February 15th I sent an email to multiple emails from the CEO that were exposed on the database his personal Gmail and a company email for httpskaizenconsultingconz which according to public records he also owns and had a lot of data exposed here I also added a couple of Teammate App emails listed on their websiteppThe first phrase on that email states the following ppI have been adding this phrase to the start of my emails recently because companies assume my emails are either scamphishing attempts or Im some cybersecurity vendor or whatever trying to sell them some service or product and often ignore my alerts because of itppThe email was read by someone I assume the CEO and less than an hour after it was sent I could not connect to the exposed server anymore I did not get any reply back so a few days later I sent a follow up emailppOn this email I asked the usual questions I do on my follow ups such as intent regarding notifications if the company needed me to delay my publication to give them more time to notify anyone and if they wanted to provide an official comment to add to this publication ppA couple days later I got a reply that is both highly inappropriate and laughable at the same timeppTeammate App CEO Sean Banayan who has the reading comprehension and IT knowledge of a toddler decided to reply the followingppApparently alerting him about a severe security issue with his App and sending a follow up email to try to avoid publishing anything before the company had time to do their own notifications if that was their intent means Im harassing the companyppSean was not interested in anything I was selling either I dont sell anything and state exactly that on my first contact and even threatened to stop me if I didnt stop with the harassmentppHe was also kind enough to lie and claim There were few more security layers which would have made any data breach impossible anyway and only basic information such as database sizes was exposedppThe email ended with a Get it and in light of his demand that I allegedly stop harassing him and his obvious cluelessness about the security of his own data I did not reply to that email The remainder of this post will demonstrate how wildly inaccurate his claims wereppThe next part might come as a shock to no one but companies just tell whatever bullshit serves them best not only to me but to their clients as well this is a common occurrenceppLets see what exposed basic information such as database sizes really meansppTop 30 exposed tables in terms of record countsppThe full table list and sizes can be seen here httpspastebincom8q7CNYBippThe database contained a total of 2963124 records of exposed data using around 38GB of storage ppIf what Sean wrote to me was the truth the post would be about done here In reality it wouldnt even exist why would I waste my time reporting exposed database sizes and table countsppSo lets analyze some of the tables exposed and the data in themppThis was the biggest table in terms of records on the DB and didnt contain any relevant PII that I was aware it was the updates made to the fields of the various forms companies have on the app I saw a few links to actual filed forms on some tables and I could check them with no authentication but I did not look much into it thoughppThis table contained usernames emails auth tokens and passwords Around 9000 users had bcrypt hashed passwords and around 6000 had auth tokens setppThis also contained multiple foreign keys to other tables on the database with more information on the users such as companyId employeeId supplierId etcppThe top 20 email domains exposed on the user table and their countsppA full count of the email domains can be seen here httpspastebincom6L4hb2wLppThis contained fields such as first and last name company and workplace foreign keys email phone and mobile date of birth and a field with additional information such as medical recommendations There were multiple other tables related to employee data such as employeesppes which contained PPE Personal protective equipment information mostly uniform sizesppTop 20 email domains on the employees tableppA full count of the email domains can be seen here httpspastebincom5vgz1JKqppThis table if looked at briefly probably wouldnt mean much There are no actual documents exposed on it it contains partial paths filenames notes and information on who the file belongs to etc through multiple foreign keys to other tablesppChecking the companyId foreign key to check the companies with most records on the table we get the top 10 beingppThe counts are only for a single ID if a company had multiple IDs the file count would be higher all put together I did not look for such casesppI was told about multiple security layers who made a data breach impossible so of course I had to dig through this table until I found a way to test if the files were actually secure and I guess some layers were currently malfunctioning as expected I could actually download the files without any authentication ppThe download link still redirected me to httpsmyteammateappcomlogin but a request still went through for the file if it still exists in storage From a small sample around 75 of the files still exist and can still be accessed without any authentication or loginppThe links still work as of publishing this people would still need to know exactly how to get the working link but the company exposed that publicly for 2 months who knows how many people got access to that informationppThe sample contained files such as ppThere were multiple more file types but I have no interest in downloading around 60000 files just to prove a point ppThe server IP was scanned by multiple websites that scan for open ports I noticed it on at least 2 different websites ppWas anyone looking at the logs to see random IPs connecting and querying for basic information for over 2 months What else were people doing that this supposed security layers missed Im sure the company has an answer for thatppThere is likely more data exposed here this post only reveals a small sample of what was exposed but I cant dedicate all my free time to analyze it and Im not interested in doing an in depth security audit on the exposed data to a company who told me not to harass them ppThis post serves to refute the claims of Impossible to hack security made by Sean and if youre a client or employee that uses the App you might be wondering what else was exposed here I would tell you to contact Sean or the company for clarification but be wary you might be harassing them if you ask any questionsppI bet it felt really good and mighty sending that email shitting on me as if Im some random idiot begging people to buy something but some advice for you next time maybe use google to look up what ProtonMail is before claiming youre gonna report me to my boss Proton but thanks for the laughs on that one ppAlso maybe read what I wrote on my email where I mention Im not selling anything to you in fact I alerted you of some gross incompetence free of charge and likely avoided your data from being wiped by some russian running an automated script that wipes everything it connects to Ive seen it happen live before on the same service this data was exposed ppYou might read this post and think that now you are for sure reporting me to my boss but youll be disappointed to know that I do not work for anyone so you cant go and harass my boss with stupid claimsppThose database sizes sure did contain a lot more than just the size oopsppAnd one last thing SeanppppHow can I check my own web app isnt exposing data like thatppAlso based on some of those email addresses used all NZ blood testing labs are using this system Yikesppmate you might know whats going on more than this CEO but you certainly arent more professional or mature than himppNo postsppReady for morep