ActiveMQ Unprotected Portal

I heard about ActiveMQ -- a message broker used in corporations.

I searched SHODAN for "ActiveMQ" and found this:

The admin page gives me control over their operations without any password or security barrier at all. I can view transactions, and apparently delete them and create new ones!

This looks like real live financial data:

I found an abbreviation for the company, and located an insurance company that uses that abbreviation.

I phoned their "Fraud" division, and was transferred up the ladder, and within two hours a real infosec guy called me back.

I emailed him these images.

However, the next day the portal was still open, so I explored it some more and found the domain name of the software developer that made the site, apparently under contract to the insurance company.

I sent this email to the software developer, with a Cc: to the insurance company:

I got this response:

And I see that the problem was indeed fixed; the page was no longer accessible when I tried it at 6:35 PM on April 29, 2013.

Posted 5-1-13, 6:08 PM by Sam Bowne.