VehiclesFashionRecipesBlogsHuntTravelsSportFunHandmadeITEducation
Mini-Games
x

x
zakruti.com » IT - Software » Gamers Nexus
Zotac's Big Mistake - Consumer Warranty & Business Data Exposure

Zotac's Big Mistake - Consumer Warranty & Business Data Exposure

FBTwitterReddit

video description

Rating: 4.0; Vote: 1
Sponsor: NZXT C1500 Platinum PSU on Amazon https://geni.us/KvKlUi Zotac was hosting customer RMA files, business-to-business transactions, invoices, bill of lading memos, credit memos, customer Amazon order history, chat logs, email logs, and addresses and phone numbers in a way which was publicly discoverable through Google. In fact, a Google search simply of Zotac RMA (without even using a site flag) would surface private customer emails and contact information within 1 page, sometimes 2. We notified Zotac urgently and withheld reporting until the company removed access to as many of these files as possible. The rest remains cached, but there are tools to try and get it removed for affected users. Zotac has fixed the basics, so we felt comfortable to publish. SUPPORT OUR REPORTING DIRECTLY! Grab a GN CyberSkeleton V2 T-shirt: https://store.gamersnexus.net/products/limited-edition-foil-cyberskeleton2-cotton-tshirt Like our content Please consider becoming our Patron to support us: http://www.patreon.com/gamersnexus TIMESTAMPS 00:00 - Zotac Issues 01:31 - Wrong Server Setup 03:14 - How Bad Was It 05:55 - A Viewer's Discovery 09:02 - What YOU Should Do 10:24 - Public Service Announcement 12:42 - Zotac's Response Please like, comment, and subscribe for more! Links to Amazon and Newegg are typically monetized on our channel (affiliate links) and may return a commission of sales to us from the retailer. This is unrelated to the product manufacturer. Any advertisements or sponsorships are disclosed within the video (this video is brought to you by) and above the fold in the description. We do not ever produce paid content or sponsored content (meaning that the content is our idea and is not funded externally aside from whatever ad placement is in the beginning) and we do not ever charge manufacturers for coverage. Follow us in these locations for more gaming and hardware updates: t: http://www.twitter.com/gamersnexus f: http://www.facebook.com/gamersnexus w: http://www.gamersnexus.net/ Steve Burke: Host, Writing, Video Editing Tim Phetdara: Pre-Cut Editing
Date: 2024-07-07

Comments and reviews: 20


I'm not the original tipster to GN, but I also stumbled upon this around the same time after looking around for the Zotac RMA form for a friend. I broke the news on the Zotac subreddit after spending some time on the phone with a Zotac support person about it where I was passed aroud the chain until I was eventually handed to somebody higher up. I'm not going to go into detail about that call, as everything you need to know is already in this video.
I was able to scrape everything named here easily for hours before anything was done. If I were trying to be malicious, I could have feasibly downloaded enough to cause some serious damage for a couple dozen to maybe a hundred people at least. I'm not going to do that, let me be perfectly clear, but there was that kind of stuff floating around for several hours. I saw at least 7 different home addresses.
Based on what I've seen online in this breach, this could be disastrous for those people. There was some not just identifiable, but identity theft level information out there for some of them. At the very least, all of your emails have almost certainly been scraped into some database.
If you have had an RMA or other contact with Zotac, do what you can to secure everything right now. Some people are going to want to be canceling cards from their bank.

reply

set .htaccess with an index(html|htm|php|whatever) file, you can add a rewrite rule to htaccess to keep crawlers from a directory, but they may not follow it, but you need to change some settings, and if you can do that, might as well add the rule to the server, you should also have a robots.txt file...
Honestly, never expose that server path, even tot he client. use php, python, whatever your server is running and serve the pdf files remotely, and write custom error catching, so the error doesn't expose the path.
I've been building web sites for over 25 years for myself mostly but a somewhat newb IT/Webmaster should know basic server setup, even folders can have permissions: chmod -v 0750 grants the owner read, write, and execute permissions, the group read and execute permissions, and denies any permissions to others

reply

14:15 - That rep's reaction was absolutely glorious!
Thank you. I'm glad you got that down and shared it with us.
__
(: Some military history nerdery below)
Kinda reminds me of WW2 US Navy's head honcho Fleet Admiral Ernest J. King (of infamous temper and having little-to-no patience for pencil pushing bureaucrats) once he found out about Bureau of Ordnance's mind-boggling 2-year-long negligence/incompetence regarding the Mark 14 torpedo.
Sufficed to say, Mr. Perpetually Angry NavyBoss-guy went to have a little chat with BuOrd, and thuslike Steve aptly put it: shortly after that conversation, things, uh, got set into gear..., finally.
It's incredibly unfortunate that the actual talk wasn't transcripted/recorded, because, oh boynow, there's a boss encounter I'd love to see a VoD of.

reply

When I worked as platform engineer at a large retailer we had a bucket for uploading public data, mostly product shots that was used by business people; it was literally called -public. One day we audit the thing because we heard a rumor business people have started using it as some sort of data exchange drive, and found a bunch of internal financial data. Fortunately these people weren't handling customer data directly; this was just after GDPR took effect. We walked over to the divisions office and found out that no, naming a bucket public doesn't communicate that it's the ENTIRE public and not just people in the office. We took away access from most people that day and told regular old IT that these people needed some sort of sharepoint access... which they didn't have.
reply

Censoring and removing sensitive information from documents requested by those companies particularly when part of the RMA process generally isn't going to work. The service representatives are often trained to refuse documents that have been manipulated in any way for fraud prevention, demonstrating to them you have the know how to edit documents is just asking for trouble. I've tried doing this in the past blacking out stuff or watermarking documents so I know who's data breach it comes from. But most of the time they refuse to accept it or just completely ghost me.
reply

I can imagine the service agent removed the file/s of the 'initial' affected customer, but wouldn't (or at least shouldn't) have any permissions to make changes to fix the issue. Best they could do was flag it up internally. Given the delay in responding it sounds like there is no internal process to flag security issues, rather the issue probably just landed in someone's inbox mixed in with dozens of other emails (the recipient may even have been on leave).
reply

dear lord, a hacker definitely would exploit this before it was found...easy pickin's, sorry if you bought a ZOTAC product folks, it looks like the company is going to be sued by a large amount of corporations, ZOTAC will probably sue their third-party contractor for storing the data, in an insecure matter and you may not see any compensation from the class action.
reply

Well, that's a clear GDPR violation. Incompetence is not covered in the exception clause and depending on the scale this can result in an up to 10% revenue fine over the span of the offsense.
So if you are customer in Europe, you should file an GDPR data discover request right now - even foreign countries have to apply to your laws when they do business in the EU.

reply

We must place governments in power that will institute new laws to stop these companies collecting ANY data from customers and make it illegal to force anyone to have unnecessary accounts. Any accounts if they don't want to have one. The penalties need to be much higher for breaches, like f-ing life in prison.
reply

THANK YOU for doing your due-diligence and reporting this in an ethical way. If something like this went on blast before they took any steps to fix it, that information would've been immediately scraped by so many bad actors before the rest of us could even finish watching the video.
reply

i think zotac is trolling amd fanboys with proof of amazing sales data that nobody buying amd cards...ZERO AMD GPU's SOLD ...vs NVIDIA ...over $110k worth of sales ...thats shocker in given day....and bad part MSI no longer making anymore future amd gpu's ...they terminated amd partnership
reply

There's this thing in EU and UK called GDPR...
Basically if a company holds personal data of its customers it has to guarantee that data is safe because if it leaks to the internet it will face a fine of 10% of it's annual income.
Poor zotac... We will keep you in our hearts.

reply

when customer tells zotac about the security issue : things don't move at all
when GN tells zotac about the security issue: things moved pretty quickly
sad that zotac basically said, 'fk off' when the customer let them know about it...
def gonna stay the fk away from zotac

reply

I'm astounded all this fuss about exposing user data. As near as I can tell everyone who has ever entered their name into a computer has already lost all privacy. Your name, address, date of birth, marital status, children, parents, etc all are public information.
reply

Oof
Linus and luke were just talking last wan show about how good a reputation zotac had built lately.
Thankfully this was addressed (addressed not fixed, i don't think this can be simply fixed), still, it feels like this could have been easily prevented.

reply

If you could, you know, accidentally make the schematics public, by mistake, so that the repair shops, which totally shouldn't have these schematics, can have an easier time repairing GPUs, but not with these schematic obviously, that would be great.
reply

That’s called skipping past the department manager trying to cover his ass and going straight to the board through their business partners. It gets done real quick when the top finds out what their underlings are hiding and money is involved.
reply

Thats the moment where european laws just start to lube up your butthole.
European data protection laws are not a joke anymore. The fines are designed to hurt.
So if any european customer is now exposed on this, he can just sue zotac....

reply

Insecure Direct Object Referencing / Broken Access Control = Currently #1 in the OWASP Security Risks.
Authentication who are you , but Authorisation = what you are allow to view once logged in.
Seams like they failed at both :(

reply

holy hell. should i be afraid to rma my zotac 4090 with them lol. it randomly started to give me the black screens of death after almost two years of ownership/EDITED nevermind i went back to the 9:02 mark on the video. thanks Steve!
reply
Add a review, comment






Other channel videos