Let’s agree that everything is doomed!
The story of a critical information disclosure villain…
Ok, Let’s agree that everything is doomed. There is proverb in my mother tongue — which can roughly be translated as follows.
Even something as trivial as a grass can be a deadly weapon for an ace.
Apart from the conventional commercial Indian movies where they apply this theory to make the hero stop villain’s bullet with a buffalo grass, or the probable parallel world Chuck Norris flicks, I recently realized, that this could actually have some relevance in the info-security industry as well.
We all may have heard of google dork queries which attackers use to perform passive reconnaissance on potential targets. (Those who haven’t heard of the same may refer this, this or that.) It is also true that quite a few among us may also have trivialized the potential impact of such queries on a public domain. Yeah, Now is the time to confess if you have ever said — “Such a moron, he wants me to stop pasting code snippets while I clear doubt’s on ‘Stackoverflow’.”
Apparently the data available in public domain isn’t as trivial as we thought. Chuck Norris can in fact gather critical information including emails, passwords, usernames, credit card data and SSNs with a mere google search query. But the reason I am writing is something big I found on a Major bank’s domain.
In a class assignment to perform passive reconnaissance, I had to select a target. The target organization I chose for the exercise was a major, private sector bank in India. Defying the common notion that large organizations with sufficient security budgets do monitor data leakage, I was able to identify some shocking information without even actively probing the target domain.
Note:
When I performed this assignment, I ensured that no active reconnaissance was performed on the target systems. While there are a lot of unproductive discussions and controversies surrounding whether port-scan /service fingerprinting is legal or not, it is always safe to assume the worst. Certain ISP’s have even gone further to define policies which explicitly forbids users from performing active probing.
I will not be revealing the actual bank name or any specific details which can compromise their security. From here onward the bank mentioned would be called “Mystery Bank” and the domain would be “mysterybankxyz.com”
Steps:
- Identify the target sub-domains. There are quite a few tools available online with which you can identify the subdomains of a particular domain. I used a handful of them to get the list of subdomains.
- Gooogle it! I was primarily interested in the files on different sub-domains of mysterybankxyz.com. So I started off with the following search.
3. The search gave me a fair amount of results which I then went through one by one for passwords, emails and Credit Card Numbers. And yes, there were many! One such example is given below.
4. This increased my interest in the particular target sub-domain and I started browsing it folder by folder. Guess what, It was listing directories and the files in it. And quite surprisingly, it turned out to be a development server with hell lot of source code for the internally developed applications.
5. Some of the directories were not accessible but that's when the mighty Google came for my help again. I used the Google cache to see the previous available version of the directories. eg: By googling cache:vulnerable.mysterybankxyz.com/test/test/xyz
6. And after a while I was able to access a directory which had the entire source code as a ZIP file.
After some time I decided to responsibly disclose the vulnerability to the bank and sent the customer support team a mail asking for the contact details of security team. They promptly responded and the vulnerability was patched within a weak.
Why do these vulnerabilities exist?
There are a handful of reasons why such vulnerabilities go undetected.
- Low priority assigned for patching/hardening development systems.
- Neither the scope, nor the time allocated isn’t enough to effectively perform passive reconnaissance on an entire organization.
The big question here is whether I was the first and only one who found this. Mystery Bank being a large financial organization, must be a preferred target for many attackers. Couldn’t we all be doomed by the mighty Chuck if such weaknesses exist?
