FS#126 : Title: Public Exposure of Sensitive Bank Details via PDF File

Status Closed
Assigned To

cbay
Private

Attached to Project: Security vulnerabilities
Opened by aakarshxmishra - 25.01.2025
Last edited by cbay - 27.01.2025

FS#126 - Title: Public Exposure of Sensitive Bank Details via PDF File

Description:

I discovered a publicly accessible PDF file containing sensitive financial and personal information at the following URL:
https://share.alwaysdata.com/IBAN.pdf AND https://static.alwaysdata.com/docs/IBAN.pdf

The document exposes Personally Identifiable Information (PII) and sensitive banking details, including the International Bank Account Number (IBAN), Bank Identifier Code (BIC), account holder's name, and address. This information could be exploited for unauthorized transactions, fraud, and privacy violations.

Steps to Reproduce:

1. Navigate to the URL: [https://static.alwaysdata.com/docs/IBAN.pdf] and [https://share.alwaysdata.com/IBAN.pdf]
2. Download the file (IBAN.pdf).
3. Open the file to view the sensitive details

Impact:

• Financial Risks: An attacker could misuse the exposed banking details for unauthorized transactions or fraudulent activities.
• Privacy Concerns: The document discloses the account holder’s name and address, increasing the risk of phishing or other targeted 
        attacks.
• Legal Compliance: Public exposure of such information may violate data protection regulations, such as the GDPR (General Data 
        Protection Regulation) in the EU.

Mitigation:

1. Immediately remove the file from public access.
2. Audit all publicly accessible files to ensure sensitive information is not exposed.
3. Use preventive measures like robots.txt or noindex tags to prevent indexing by search engines.
4. Review the system to ensure sensitive files are stored securely and not inadvertently exposed.

Severity: High – This issue involves the public disclosure of sensitive financial and personal information, which could lead to significant harm if exploited.

Suggested Timeline for Fix: Immediate – This issue should be prioritized for resolution to prevent potential abuse.

Hope this will be fixed soon.
Do let me know if you need any further assistance.

NOTE: While Making this report public please make sure to mask or remove the sensitive information that is written in the report.

Thanks
Best Regards
Aakarsh Mishra

Closed by cbay
27.01.2025 08:17
Reason for closing: Invalid

Comments (1)
Related Tasks (0/0)

cbay commented on 27.01.2025 08:17

Hello,

It's not dangerous to give your IBAN:

* https://www.streammind.com/iban-fraud-how-to-prevent-it/ * https://www.reddit.com/r/germany/comments/q03xvj/is_it_safe_to_share_iban_number/ * https://www.reddit.com/r/belgium/comments/1dn9z0k/is_it_safe_to_share_your_iban/

Kind regards,
Cyril

	Tasks related to this task (0)

Loading...

Keyboard shortcuts

Available keyboard shortcuts

Alt + ⇧ Shift + l Login Dialog / Logout
Alt + ⇧ Shift + a Add new task
Alt + ⇧ Shift + m My searches
Alt + ⇧ Shift + t focus taskid search

Tasklist

o open selected task
j move cursor down
k move cursor up

Task Details

n Next task
p Previous task
Alt + ⇧ Shift + e ↵ Enter Edit this task
Alt + ⇧ Shift + w watch task
Alt + ⇧ Shift + y Close Task

Task Editing

Alt + ⇧ Shift + s save task