A serious security vulnerability in hardware manufacturer MSI allowed unauthorized individuals to access customer data from warranty processing. The data was publicly discoverable via search engines and could become a real gold mine for fraudsters.
Intranet with search engine access
Nexus players The security flaw was reported after a viewer alerted the US publication. The supposed manufacturer's intranet can be found online and is accessible without any security measures. Not even a login is required.
Worse still: MSI’s internal website is actually listed as the fourth-most searched site on the first page of results when searching for “MSI RMA web server” on DuckDuckGo. Tickets for MSI’s warranty processing can be accessed through the system, dating back to at least 2017. High Nexus players There are over 600,000 cases that can not only be viewed, but also easily retrieved automatically.
Gold mine for scammers
Even if no credit card data or other payment data is recorded in the system, a lot of customers’ personal data is affected. This includes, among other things, names, email addresses, postal addresses, phone numbers, information about purchased products and proof of purchase. All this data can be easily exported and saved as Excel spreadsheets with a single mouse click. It was also possible to access shipment tracking data using buttons on the interface.
This information allows scammers to impersonate customer service and target potential victims. Since the data is already private and the concern at the time is used as a supposed legitimate reason, they are more likely to fall for it than unidentified scam attempts. Nexus players Options mentioned here include, for example, intercepting packets containing (partially) defective devices or fake upgrade offers promising a much better replacement device for a small additional cost.
The responsible disclosure gap has been closed.
By the time the video was posted, the gap no longer existed. Nexus players I contacted MSI as part of the responsible disclosure process. The manufacturer was given a deadline to close access to the compromised RMA system before the incident could be reported to the public. According to Gamers Nexus, MSI complied quickly.
It is not clear from the video whether the datasets also include customers from Germany or if the issue only affects MSI’s US division. Warranty in Germany is usually handled through the dealer from whom the product was purchased. However, RMA transactions are often handled directly between customers and manufacturers.
Many thanks to user ChrisM for pointing this out!
