fbpx
Frame-14

Privacy Ninja

        • DATA PROTECTION

        • CYBERSECURITY

        • Penetration Testing

          Secure your network against various threat points. VA starts at only S$1,000, while VAPT starts at S$4,000. With Price Beat Guarantee!

        • API Penetration Testing
        • Enhance your digital security posture with our approach that identifies and addresses vulnerabilities within your API framework, ensuring robust protection against cyber threats targeting your digital interfaces.

        • On-Prem & Cloud Network Penetration Testing
        • Boost your network’s resilience with our assessment that uncovers security gaps, so you can strengthen your defences against sophisticated cyber threats targeting your network

        • Web Penetration Testing
        • Fortify your web presence with our specialised web app penetration testing service, designed to uncover and address vulnerabilities, ensuring your website stands resilient against online threats

        • Mobile Penetration Testing
        • Strengthen your mobile ecosystem’s resilience with our in-depth penetration testing service. From applications to underlying systems, we meticulously probe for vulnerabilities

        • Cyber Hygiene Training
        • Empower your team with essential cybersecurity knowledge, covering the latest vulnerabilities, best practices, and proactive defence strategies

        • Thick Client Penetration Testing
        • Elevate your application’s security with our thorough thick client penetration testing service. From standalone desktop applications to complex client-server systems, we meticulously probe for vulnerabilities to fortify your software against potential cyber threats.

        • Source Code Review
        • Ensure the integrity and security of your codebase with our comprehensive service, meticulously analysing code quality, identifying vulnerabilities, and optimising performance for various types of applications, scripts, plugins, and more

        • Email Spoofing Prevention
        • Check if your organisation’s email is vulnerable to hackers and put a stop to it. Receive your free test today!

        • Email Phishing Excercise
        • Strengthen your defense against email threats via simulated attacks that test and educate your team on spotting malicious emails, reducing breach risks and boosting security.

        • Cyber Essentials Bundle
        • Equip your organisation with essential cyber protection through our packages, featuring quarterly breached accounts monitoring, email phishing campaigns, cyber hygiene training, and more. LAUNCHING SOON.

Ford Bug Exposed Customer And Employee Records From Internal Systems

Ford Bug Exposed Customer And Employee Records From Internal Systems

A bug on Ford Motor Company’s website allowed for accessing sensitive systems and obtaining proprietary data, such as customer databases, employee records, internal tickets, etc.

The data exposure stemmed from a misconfigured instance of Pega Infinity customer engagement system running on Ford’s servers.

From data exfiltration to account takeovers

This week, researchers have disclosed a vulnerability found on Ford’s website that let them peek into confidential company records, databases and perform account takeovers.

The vulnerability was discovered by Robert Willis and break3r, with further validation and support provided by members of Sakura Samurai ethical hacking group—Aubrey CottleJackson Henry, and John Jackson.

The issue is caused by CVE-2021-27653, an information exposure vulnerability in improperly configured Pega Infinity customer management system instances.

Researchers shared many screenshots of Ford’s internal systems and databases with BleepingComputer. For example, the company’s ticketing system is shown below:

Ford ticket system exposed
Ford’s internal ticket system exposed to researchers

To exploit the issue, an attacker would first have to access the backend web panel of a misconfigured Pega Chat Access Group portal instance:

As seen by BleepingComputer, different payloads provided as URL arguments could enable attackers to run queries, retrieve database tables, OAuth access tokens, and perform administrative actions.

Also Read: Got A Notice of Data Breach? Don’t Panic!

The researchers state that some of the exposed assets contained sensitive Personal Identifiable Information (PII), and included:

  • Customer and employee records
  • Finance account numbers
  • Database names and tables
  • OAuth access tokens
  • Internal support tickets
  • User profiles within the organization
  • Pulse actions
  • Internal interfaces
  • Search bar history

“The impact was large in scale. Attackers could use the vulnerabilities identified in the broken access control and obtain troves of sensitive records, perform account takeovers, and obtain a substantial amount of data,” Willis writes in a blog posting.

Took six months to ‘force disclose’

In February 2021, the researchers had reported their findings to Pega that fixed the CVE in their chat portal relatively quickly.

The issue was also reported to Ford around the same time via their HackerOne vulnerability disclosure program.

But, the researchers told BleepingComputer that communication from Ford was thin and faded as the responsible disclosure timeline progressed:

“At one point in time, they completely stopped answering our questions. It took HackerOne mediation to get an initial response on our vulnerability submission from Ford,” John Jackson told BleepingComputer in an email interview.

Jackson states that as the disclosure timeline progressed further, the researchers heard back from HackerOne only after tweeting about the flaw, but without giving out any sensitive details:

“When the vulnerability was marked as resolved, Ford ignored our disclosure request. Subsequently, HackerOne mediation ignored our request for help disclosing which can be seen in the PDF.”

“We had to wait the full six months to force disclose per HackerOne’s policy out of fear of the law and negative repercussions,” continued Jackson.

At this time, Ford’s vulnerability disclosure program does not offer monetary incentives or bug bounties, so a coordinated disclosure in light of public interest was the only “reward” researchers were hoping for.

A copy of the disclosure report shared with BleepingComputer indicates Ford refrained from commenting on specific security-related actions.

“The findings you submitted… are considered private. These vulnerability reports are intended to prevent compromises which may require disclosure.”

“In this scenario, the system was taken offline shortly after you submitted your findings to HackerOne,” Ford shared with HackerOne and the researchers, as per the discussion in the PDF.

Although the endpoints were taken offline by Ford within 24 hours of the report, the researchers comment in the same report that the endpoints remained accessible even afterward, and requested another review and remediation.

Also Read: A Review of PDPC Undertakings July 2021 Cases

It is not yet known if any threat actors exploited the vulnerability to breach systems at Ford, or if sensitive customer/employee PII was accessed.

BleepingComputer reached out to Ford multiple times well in advance of publishing but we did not hear back.

0 Comments

KEEP IN TOUCH

Subscribe to our mailing list to get free tips on Data Protection and Data Privacy updates weekly!

Personal Data Protection

REPORTING DATA BREACH TO PDPC?

We have assisted numerous companies to prepare proper and accurate reports to PDPC to minimise financial penalties.
×

Hello!

Click one of our contacts below to chat on WhatsApp

× Chat with us