- Status Closed
-
Assigned To
cbay - Private
Opened by monty099 - 01.02.2024
Last edited by cbay - 04.02.2024
FS#25 - Title: Security Report: Public Exposure of Sensitive Information
Title: Security Report: Public Exposure of Sensitive Information
Introduction:
The purpose of this report is to highlight a critical security issue involving the public exposure of sensitive information on the website security.alwaysdata.com. The exposed data includes details about supervisors, the number of reports they have sorted, and some reports that remain unprocessed and may contain sensitive information and unpatched vulnerabilities.
Exposure of Supervisor Information:
The website security.alwaysdata.com hosts a page that displays information about all users, including supervisors. The URL format for accessing supervisor information is https://security.alwaysdata.com/user/1. By manipulating the numeric value in the URL, it is evident that any user can access information about all users and supervisors on the site. This unrestricted access poses a significant security risk as it allows unauthorized individuals to view sensitive user data, potentially compromising the privacy and security of the users and the platform as a whole.
Unsecured Reports:
Furthermore, the website contains reports that are in an unprocessed state and have not been closed. These reports are accessible to the public through the URL format https://security.alwaysdata.com/task/23?dev=1. The presence of such reports in an open state poses a severe security threat as they may contain sensitive information that should not be shared with regular users. Additionally, these reports may reveal unpatched vulnerabilities in the platform, further increasing the risk of exploitation by malicious actors.
Recommendations:
1. Immediate Restriction of Access: It is imperative to implement access controls to restrict public access to supervisor information and unprocessed reports. Access should be limited to authorized personnel with appropriate privileges.
2. Review and Remediation: All unprocessed reports should be reviewed to identify and address any sensitive information or vulnerabilities they may contain. Once remediated, these reports should be appropriately secured and closed.
3. Security Awareness Training: Conduct security awareness training for all personnel involved in managing and maintaining the website. Emphasize the importance of safeguarding sensitive data and the potential consequences of data exposure.
4. Regular Security Audits: Implement regular security audits to identify and address any potential security loopholes, including unauthorized access to sensitive information and unsecured reports.
Conclusion:
The public exposure of supervisor information and unsecured reports on security.alwaysdata.com poses a significant security risk, potentially compromising user privacy and platform integrity. Immediate action is necessary to address these vulnerabilities and ensure the confidentiality and security of user data. Failure to mitigate these risks could lead to severe repercussions for the organization and its users.
Loading...
Available keyboard shortcuts
- Alt + ⇧ Shift + l Login Dialog / Logout
- Alt + ⇧ Shift + a Add new task
- Alt + ⇧ Shift + m My searches
- Alt + ⇧ Shift + t focus taskid search
Tasklist
- o open selected task
- j move cursor down
- k move cursor up
Task Details
- n Next task
- p Previous task
- Alt + ⇧ Shift + e ↵ Enter Edit this task
- Alt + ⇧ Shift + w watch task
- Alt + ⇧ Shift + y Close Task
Task Editing
- Alt + ⇧ Shift + s save task
Hello,
The only thing you can see is a username and name, so nothing private.
Reports are by default private. The only reports you can publicly see have been set manually as public by an admin, because they are deemed safe.
Kind regards,
Cyril
Users can see the number of reports managed by site administrators and see the number of comments within the reports, This is information that should not be shared with the public
link: https://security.alwaysdata.com/user/1
Reports being public is actually what we do want.
We've been handling security reports privately for the past 5 years, but we've decided very recently to open that new security.alwaysdata.com platform to switch to a public reporting (but as I said, reports are initially private and made public by an admin once they've been considered safe to publish).
Oh, no problem.
But I noticed that you closed the report after it was in a sorting state and it should be displayed to the public in order to be closed!
link :security.alwaysdata.com/task/23
No. A report is closed when we believe there's nothing more to discuss (or the reporter is not responding).
Hi,
I have sent new details showing the bug see the report: security.alwaysdata.com/task/24
I hope you review the report with your sorting team and give me a final reply
Is that possible?
We've discussed extensively on that report, yet you've tried to argue your case twice more in private tickets to 2 more different people from our team, and now you're hijacking another report to argue again?
I'm sorry but that's not acceptable behaviour. If you were to continue insisting, we'd have to permanently ban you from this platform.
You know that I don't mean anything, I just felt that I was wronged and I tried to deliver the information to you in many ways but you did not understand me, so I wanted someone else from your team to discuss me so that he might understand me
I don't mean to insult you or anything else, but I wanted to discuss someone else on your team.
And I am sorry that I caused you a lot of trouble I hope you accept my apology