Since October 2023, I've discovered more than 10M PII of people and helped many companies worldwide secure sensitive information. The companies range from e-shops and hospitals to human resource consulting agencies. They all had one catastrophic thing in common: misconfigured Elasticsearch hosts.
Elasticsearch is a storage and search engine for analytics. It is often also used as a database instead of other DBMS. It is particularly common for e-shops to use Elasticsearch as a database, storing order and shipment details, which include customer PII such as
etc. As with any technology used, it is not uncommon for misconfigurations to occur, such as missing authentication or accidental exposure of internal hosts on the Internet. The goal is to go after such hosts, identify them, and report them to the organizations (when it's possible to find them).
Out of the discovered exposed hosts of significance (meaning that the exposure causes an actual leak of PII), here are some results:
This work and research wouldn't be possible without some automation. A CLI script would be quick and to the point but I decided to build a web tool with analysis capabilities, and a nice presentation of the results. The tool is called Elastic(search²).
It is as easy as entering your Shodan API key, choosing the country, and hitting enter.
The tool has the ability to keep track of the already-discovered hosts and update you on the new ones. There is keyword analysis that identifies strings and words on indices' names that are potential leaks and also an on-demand keyword analysis on indices to identify strings such as JWT, "password", "fullname" etc. Both keyword lists can be adjusted to add more words. There's also a cleanup function, i.e. to get rid of stored hosts that are no longer responsive. Please, try it out!