Data leakage at SAP exposed user data. Again.

It was super easy to get access to a list of almost 6.900 names and e-mail addresses from SAP employees, partners and customers. No hacking needed, you just had to click links and know a few things. The list contains a handful of duplicates, test names or generic names. From the 6.900, ~6.630 e-mail addresses end with *@sap.com. The 270 remaining? This is what makes it bad: private data from customer and partner employees

SAP was noticed and took actions. The affected server is shut down. It is currently not possible to do anything outlined in this post. When the server comes back online, for sure the security issue will be fixed. This here is only to show how access was possible. What I am waiting for is the email from SAP stating that my data was leaked. While I am writing this, the server is offline for 7+ days. I know several people affected by this leakage. So far, no one received an email or was somehow notified. Maybe the process takes longer than 7 days? Or is this an event that needs no communication? Nevertheless, would be nice to get some clarification.

How to get the link that started it all

The FLP contains a link to help. That help is a feature that can be enriched by using an Enable Now service, like user assistance. A famous example that you can find promoted by SAP is quick tour.

Quick Tour is a feature from the FLP and part of user assistance. It can add tremendous value and is also featured in the SAP Learning course: Learning the Basics of SAP Fiori. In the FLP, clicking on quick tour opens the content in a popup.

The configuration for the quick tour link is available on the internet (blog, documentation). In my case, the quick tour did not open in a timely manner. I decided to look from where the information is loaded and opened the network tab in the developer tools of my browser. To my surprise, the FLP was not configured to use the standard URL. The complete URL was:

https://education3.hana.ondemand.com/education3/wa/ux_test/index.html?show=slide!SL_B21F…E898

The URL configured pointed to a different server than the one mentioned in the documentation PDF: https://education3.hana.ondemand.com/. Education3 instead of just education. This triggered my attention.

Taking away the parameters gives: https://education3.hana.ondemand.com/education3/wa/ux_test/index.html

Playing around with that link got me to https://education3.hana.ondemand.com/education3.

I opened the page and the fun started.

To be honest: not what I expected.

Anonymous access

First, the page should ask for authentication. I did not figure out it exactly works, but it seems that I am logged on sometimes as my P/S-User and sometimes as anonymous user. But even when the site asks for a user, it can be an P-User or S-User. P-User means: it can be any person in the world with internet access. Billions of people. And why? Thanks to SAP Universal ID.

Here I am logged on as anonymous user.

The system was used actively since I first came across this issue. The language of the anonymous user was changed to French. Maybe by an SAP employee, or by someone else that came across the site.

Anonymous or not, it doesn’t matter. The role assigned caused my second surprise: the navigation bar is full of items. Be it the one on the left, or on the top. A lot of content is available to the user. The anonymous user!

SAP UID

Logon via S/P-User worked too. The system uses SAP UID. Getting your user added to the system: just log on via UID and your user data is synchronized.

Apps

A launchpad is available.

Here I was logged via SAP UID. And that’s how my data ended up in the system.

Content access

Next step: navigating a little bit around. If a role that gives access to content is assigned to my user, and be it an anonymous user, I have the right to access the content. And following links is what I can do. The information already shows that personal data is accessible: name, user ID.

Many, many workspaces and even more content available.

Of course, I looked at the UX space. The name was UX Test, which is even more confusing. What kind of server and service is this? Why can I access it? The content provided is tutorials. They allow the user to explore feature of the Fiori Launchpad. I guess they are intended to be included in the quick tour.

In case you want to know who did or uploaded the training material – to give suggestions or just to say thank you – the information is provided by the app.

As an example, here is the quick tour guide for search and filter.

There are more quick tours available.

Hello Manfred. In case you follow me on Twitter: look at my Tweet from 6. April 2023.

At that time, I thought that somehow maybe someone would reach out and ask some questions. Well, no one cared. Unfortunate, because at that time I was not aware of what is following now. And maybe, just maybe, this data leakage could have been prevented.

Data leakage

All the above is nice. Experts might wonder why only nice. Yes, up to here is already not how it should be. Anonymous access, access to a lot of information, including user IDs and user names. Each point already high on the FUBAR list. But nothing compared to what comes now.

At the top navigation, there is menu item named Administration. I mean, it is SAP, security is priority #1. For sure it is secure. The app says I am an anonymous user, so nothing to worry about. Let’s look at administration and users.

The following screenshots contain black blocks. Each block is hiding personal data. There are way too much black blocks in the following screenshots.

Because I logged on, my name is there too.

Including private information: user Id, name, e-mail.

Holy moly. Pardon my French, but what the fuck?

That’s bad. If you think: it cannot get any worse. Ah, my young Padawan, you know nothing. This is only the start. In case you are an SAP fanboy/girl and think SAP is perfect, only delivering the best possible: you should have stopped reading right after the title of this post. And now get your mind blown. The table offers an export functionality.

Excel rules the world. Let the table export generate a XLSX file. This is my favorite part. In case someone came via clicking on links until here, even for analyzing the user data no special knowledge is needed. No programming, no hacking, no security protocols, no raw data that first needs to be sorted. Excel. Bringing all the data tools with it that are needed to analyze a list of users.

700KB Excel file downloaded. 700KB. That’s … more than just the table information displayed in the browser. And yes, that’s the complete user information. How many? At the time of me writing this, almost 6.900 user entries. Which, btw, is almost 200 more in just a few days when I first came across the download feature.

The list starts with SAP employees.

And ends with customers and partners.

What is happening?

Only SAP can answer this. My guess: someone is distributing the education3 links to SAP customers that are using the Quick Tour feature. And when users are accessing the Quick Tour feature, they might be logged on automatically (thanks to SSO and SAP UID). And then they are added to the list of users.

The role I was automatically assigned is learners. Seems that learners is either added to the admin role, or SAP wants people to really learn how the internet works. Anonymous user with access to the admin role. Allowing to access the user database, including export.

A few things come to my mind. For instance

• Why is the server not secured?
• Why does an anonymous user have the admin role assigned?
• Why does every user that logs on gets the admin role assigned?
• Why is someone (SAP employee maybe?) distributing this link globally?
• Why is the server is meant for productive usage? For a sales activity, I’d expect a separate server is used.
• Why is the internal server connected to SAP UID and accepts non-SAP users?
• Is no one from SAP checking the server from time to time? Did no one notice the customer users?
• Why wasn’t an unusual traffic load identified? The education3 link seems to be configured at many customers. Did no one notice that the load increased to a rather unusual level for an internal server?
• And so many more questions

Or is this working as designed?

SAP is promoting cloud. To run your business in the cloud, security is important. SAP is stating that security as priority #1. Maybe this should not only be communicated at events and to clients, but also internally at SAP. The next big thing in the IT and SAP universe is AI. When customers are sending data to SAP for AI, security is more than important. Even with SAP stating that all is secure: is it? A small configuration error can happen. But are these sensitive services monitored? Secured enough? What happens when customers try out a new AI service and SAP decides to connect the service to UID? And billions of people can access customer data?

Are you affected?

You should know if you are affected that your private data leaked by SAP. In case you do not know (yet), you might check if someone configured the quick tour feature in your Fiori Launchpad and used the education3 server. Currently the easiest way is to open the help in your FLP and start the quick tour. The server is offline. The content loaded should be this error message.

In case you see this, there is the possibility your name is in the user database of the affected server. You might want to talk to SAP. They can tell you if personal data was leaked.