A hacker gained entry to inside recordsdata and paperwork owned by safety firm and SSL certificates issuer Comodo by utilizing an e mail handle and password mistakenly uncovered on the web.
The credentials had been present in a public GitHub repository owned by a Comodo software program developer. With the e-mail handle and password in hand, the hacker was capable of log into the corporate’s Microsoft-hosted cloud companies. The account was not protected with two-factor authentication.
Jelle Ursem, a Netherlands-based safety researcher who discovered the credentials, contacted Comodo vp Rajaswi Das by WhatsApp to safe the account. The password was revoked the next day.
Ursem instructed TechCrunch that the account allowed him to entry inside Comodo recordsdata and paperwork, together with gross sales paperwork and spreadsheets within the firm’s OneDrive — and the corporate’s group graph on SharePoint, permitting him to see the crew’s biographies, contact info together with cellphone numbers and e mail addresses, images, buyer paperwork, calendar, and extra.
A screenshot of a workers calendar on Comodo’s inside web site. (Image: equipped)
He additionally shared a number of screenshots of folders containing agreements and contracts with a number of clients — with the names of shoppers in every filename, equivalent to hospitals and U.S. state governments. Other paperwork gave the impression to be Comodo vulnerability studies. Ursem’s cursory evaluate of the information didn’t flip up any buyer certificates personal keys, nevertheless.
“Seeing as they’re a security company and give out SSL certificates, you’d think that the security of their own environment would come first above all else,” stated Ursem.
But based on Ursem, he wasn’t the primary individual to seek out the uncovered e mail handle and password.
“This account has already been hacked by somebody else, who has been sending out spam,” he instructed TechCrunch. He shared a screenshot of a spam e mail despatched out, purporting to supply tax refunds from the French finance ministry.
We reached out to Comodo for remark previous to publication. A spokesperson stated the account was an “automated account used for marketing and transactional purposes,” including: “The data accessed was not manipulated in any way and within hours of being notified by the researcher, the account was locked down.”
It’s the most recent instance of uncovered company passwords present in public GitHub repositories, the place builders retailer code on-line. All too typically builders add recordsdata inadvertently containing personal credentials used for internal-only testing. Researchers like Ursem commonly scan repositories for passwords and report them to the businesses, typically in trade for bug bounties.
Earlier this yr Ursem discovered a equally uncovered set of inside Asus passwords on an worker’s GitHub public account. Uber was additionally breached in 2016 after hackers discovered inside credentials on GitHub.
