- Status Closed
-
Assigned To
cbay - Private
Opened by Bad_Script3r - 29.01.2024
Last edited by cbay - 30.01.2024
FS#20 - Unauthorized Access to Over 6000+ Valid User Credentials
I have identified a Credential Dump that allows unauthorized access to over 6000+ valid user credentials of Alwaysdata.com. This discovery was made in accordance with the Alwaysdata Bug Bounty Program guidelines. I am reporting this issue to ensure the security and privacy of Alwaysdata's users and to assist in prompt remediation.
Sensitive Data at Risk:
The data exposure includes, but is not limited to, vendor and client details, Personally Identifiable Information (PII), Social Security Numbers, medical and financial records, and crucial authentication credentials.
Impact
If exploited by a malicious actor, this vulnerability could lead to:
-Unauthorized access to user accounts.
-Potential compromise of sensitive personal and financial data.
-Secondary attacks using the obtained credentials (credential stuffing, phishing, etc.).
-Damage to the reputation and trustworthiness of the Alwaysdata platform.
Given the scale of the data exposure (6000+ user credentials), the impact is considered highly critical.
Steps to Reproduce :
To access and reproduce the findings related to the data leak, please follow this link: https://phonebook.cz/. It is important to note that an Academia account is required to view the full extent of the data dump. This platform was where I initially discovered the leak of valid credentials.
For your convenience,I've completed the data compilation myself and attached screenshots that capture key aspects of the data leak. Please find below,The attached document containing direct links to the accounts, along with their corresponding emails and passwords. This information was extracted through a manual process, and I've managed to identify at least 30 potential accounts, reviewing their Personally Identifiable Information (PII) among other data.These images should provide a clearer understanding of the issue and assist in verifying the vulnerability.
Proof of Concept
I have attached POC for your reference.I was only able to attach 5 files. If possible,kindly guide me so I can attach more POC's
Remediation Suggestions
To address this vulnerability, I suggest the following immediate and long-term remediation steps:
Revoking current exposed credentials and enforcing a password reset for affected users.
Implementing stricter access controls and regular security audits to prevent similar vulnerabilities.
Confidentiality Agreement
I understand the sensitive nature of this report and agree to keep the details confidential until Alwaysdata has resolved the issue and agreed to disclosure, as per the bug bounty program's guidelines.
I look forward to your prompt response and am willing to provide any further information required for the resolution of this issue.Though the leaked credentials might originate from another application or service,they are your Users and I believe,it is your call to protect the privacy and data of your users.I would greatly appreciate your team's consideration of rewarding this finding, even if it falls outside the typical scope of your program. Thank you for your commitment to security and the opportunity to contribute to the safety of the Alwaysdata platform.
Regards,
Bad_Script3r
Would really appreciate if you could revert on my Email (akhilsocials@gmail.com)
Thanks and Regards.
Loading...
Available keyboard shortcuts
- Alt + ⇧ Shift + l Login Dialog / Logout
- Alt + ⇧ Shift + a Add new task
- Alt + ⇧ Shift + m My searches
- Alt + ⇧ Shift + t focus taskid search
Tasklist
- o open selected task
- j move cursor down
- k move cursor up
Task Details
- n Next task
- p Previous task
- Alt + ⇧ Shift + e ↵ Enter Edit this task
- Alt + ⇧ Shift + w watch task
- Alt + ⇧ Shift + y Close Task
Task Editing
- Alt + ⇧ Shift + s save task
Hello,
There are no attached files.
Kind regards,
Cyril
Hello Cyril,
My sincere apologies for the oversight. I've uploaded the required files on the ticket at https://admin.alwaysdata.com. Regrettably, I failed to include them in this email. Please access the Google drive link below!
If you encounter any difficulties or require further assistance, do not hesitate to reach out. Your understanding is greatly appreciated.
Thank you!
https://drive.google.com/drive/folders/1lk7Hte_oRP4jzXG82-ykr3Ww4ScIQiMF?usp=sharing
I've looked at your LeakedCreds.txt file and none of the 10 first (alleged) customer emails do actually exist in our database. There may be valid credentials in the file, but most likely only a tiny part.
Besides, as far as I know phonebook.cz contains leaked data that could have been acquired by multiple ways, including malware on customer computers. It absolutely doesn't imply that the data was leaked due to a vulnerability on our platform.
If you search gmail.com or netflix.com on phonebook.cz, you'll most likely find a lot of credentials as well, and that doesn't mean Gmail or Netflix have vulnerabilities.
Dear Cyril,
While I acknowledge your point about the possibility of leaked data being acquired through various means, including malware on customer computers, I would like to bring to your attention that, through manual verification, I was able to gain access to almost 30+ accounts that appear to be associated with your platform. This raises concerns about the security of user accounts and emphasizes the importance of safeguarding their privacy and data.
I understand that websites like phonebook.cz may contain a mix of leaked data from various sources, including well-known services like Gmail or Netflix. However, it's crucial to note that responsible organizations take proactive measures, such as prompt password resets and security enhancements, once such breaches are discovered. In my attempt to access the platform manually, I was able to log in as valid users and access personally identifiable information (PII), prompting the need for reporting.
Considering the potential impact on your users and in line with responsible disclosure practices, I kindly request a reassessment of the situation. I have conducted threat intelligence on your behalf and believe that addressing this security concern is essential for the well-being of your users and the credibility of your organization.
I hope we can work collaboratively to address and rectify this situation promptly. Your understanding and cooperation in this matter are greatly appreciated.
Best regards and Hope you are well on your side of the screen!
We do not believe it's our responsability to monitor (suspect) leaked data and proactively reset passwords for accounts having leaked credentials. It's our customers' responsability to ensure their computers don't run malware, and we encourage them to activate 2FA anyway.
At the very least, we do agree that there's no security vulnerability on our side here.
Thank you for your prompt response and clarification regarding the responsibility for monitoring leaked data. I understand your perspective on the matter and your emphasis on user responsibility, as well as the encouragement of 2FA activation.
While I acknowledge that you do not consider it the platform's responsibility to monitor leaked data proactively, I would like to reiterate that my intention is to contribute to the overall security of your platform. In light of this, and considering the absence of a security vulnerability on your side, I would like to inquire about the possibility of a nominal reward for the threat intelligence provided and the responsible disclosure of leaked user information.
Your support in this matter is highly appreciated, and I look forward to any further discussions on this topic.
What do you mean by "nominal reward" exactly?
Dear Cyril,
Thank you for your prompt response. I appreciate the straightforward communication and a touch of quirky sarcasm in your question.
By "nominal reward," I mean a compensation in line with your company's policy and, essentially, whatever you, as a triager, deem fit at all for rewarding considering the manual compilation, analysis, and responsible disclosure effort put into identifying the security concern.
Would highly appreciate if any! :)
I understand that reward structures can vary, and I'm open to your suggestions. Your support and understanding in this matter are highly valued. Wishing you a great day!
Considering that it's out of our bug bounty scope, that it's not even a security vulnerability and that the very same "issue" had already been reported multiple times over the last few months (our vulnerability reports used to be private, we've only started making them public starting this month), I'm afraid we cannot give you any reward :)