After ASRock, MSI Also Found Exposing Customer After-Sales Data: Over 600,000 Users' Information Freely Downloadable

Previously, motherboard manufacturer ASRock was discovered to have leaked a vast amount of detailed after-sales customer information. The leakage occurred because ASRock failed to set the necessary permissions for their servers, allowing search engine crawlers to directly index the after-sales request forms submitted by users. These forms contained users' real names, phone numbers, detailed addresses, and more.

Now, MSI has been found to have the exact same security incident. By using specific keywords, one can find MSI's after-sales service website linked through search engines, which contains various detailed user-submitted information.

Through the after-sales service website, anyone can directly download and export user data submitted through MSI's official website since 2017, also including real names, phone numbers, and detailed addresses, among other information.

Tests showed that it was even possible to resubmit after-sales requests, track detailed information of after-sales requests, access responses and reasons for malfunctions provided by MSI, and expose the information of well-known game streamers.

This issue was discovered by the YouTube channel Gamers Nexus, which immediately notified MSI for resolution. MSI's approach to dealing with the problem was rather blunt, as they directly blocked access to the relevant servers and even stopped resolving the subdomain.

However, this method does not completely solve the problem because some search engines still provide cached pages, allowing access to related after-sales request information and thus users' detailed information.

Since the problem can be traced back to 2017, it means that the information of over 600,000 users has been exposed on the internet for 7 years. What's worse is that MSI's situation is more severe than ASRock's, as MSI's after-sales system even allows exporting all data as an Excel file.

The same basic security issue occurred with both MSI and ASrock, stemming from their failure to configure the necessary permissions for their servers, allowing search engines and anyone to access them. It seems likely that the security teams of these companies have not thoroughly checked the permissions of their internal infrastructure.

After-Sales Service Website Vulnerability(1)Data Leak(4)MSI(2)

Copyright Notice:
Thank you for reading. This article was written by Landian News, and the author is Brook.X. If you wish to repost this article, please include a link to the original: https://landian.news/article/2609.html

{{userData.name}}

After ASRock, MSI Also Found Exposing Customer After-Sales Data: Over 600,000 Users' Information Freely Downloadable

Hacker Reveals How They Faked Accounts and Spent Over 20 Days Stealing Dell Customer Data Without Being Detected

ASUS and MSI Begin Rolling Out First BIOS Firmware Updates for Intel's 13th/14th Generation Desktop Processors

Hardware Manufacturer ZOTAC Experiences Security Slip-Up: Customer Sensitive Information from Returns and Exchanges Leaked Online

Western Digital Discloses Cyberattack, Key Services Taken Offline for Security Checks

MAS v2.8: The Ultimate Free Activation Script for Windows & Office

Arc Browser Halts Development: What's Next for The Browser Company?

Microsoft Once Again Delays the Launch of Windows Recall, Citing the Need for Further Refinement

Apple No Longer Requires Developers to Be in the EU for Debugging iOS Alternative Browser Engines/NFC, etc.

OpenAI's ChatGPT for Windows/Mac Client Introduces Advanced Real-Time Voice Features

Linux Kernel Project Removes Entries of Several Russian Contributors Due to "Compliance Requirements"

Apple Allows EU Users to Delete Core Apps Like App Store and Photos in iOS 18.2

Apple Blocks Methods to Bypass AI Restrictions in iOS 18.2 Beta 3, Including Nugget Software