[BreachExchange] Apache Misconfig Leaks Data on 120 Million Brazilians

Destry Winant destry at riskbasedsecurity.com
Fri Dec 14 08:58:02 EST 2018


https://www.infosecurity-magazine.com/news/apache-misconfig-leaks-data-120/

The identity numbers of 120 million Brazilians have been found
publicly exposed on the internet after yet another IT
misconfiguration.

The data relates to Cadastro de Pessoas Físicas (CPFs): ID numbers
issued by Brazil’s central bank to all citizens and tax-paying
residents. The size of the leak represents data on over half the
population of South America’s biggest country.

Researchers at InfoArmor’s Advanced Threat Intelligence Team found the
database exposed on an Apache web server in March, after a simple
internet search.

“Upon closer examination of the server that was discovered by
InfoArmor’s researchers, it was found that someone had renamed the
‘index.html’ to ‘index.html_bkp,’ revealing the directory’s contents
to the world. Anyone who knew the filename or navigated to it would
have unfettered access to all the folders and files within,” its
report explained.

“Two simple security measures could have prevented this: not renaming
the main index.html file or prohibiting access through .htaccess
configuration. Neither of these basic cybersecurity measures were in
place.”

Only weeks later, after the firm unsuccessfully tried to contact the
SQL host, did the issue get fixed.

“What was originally misconfigured to be accessible by IP address was
reconfigured as a functional website with an authenticated
alibabaconsultas.com domain that redirected to its login panel,” it
explained.

“Although InfoArmor cannot be sure that alibabaconsultas.com was
responsible for the leak, it appears they were somehow involved,
likely in a hosting-as-a-service function.”

The security firm warned that “it is safe to assume” either a nation
state or cybercrime group now has the leaked information.

Ilia Kolochenko, CEO of High-Tech Bridge, said a thorough
investigation is required by the Brazilian government.

“The major question here is how did this highly sensitive and
confidential data go online on a third-party server in a flagrant
violation of all possible security, compliance and privacy
fundamentals? Who else has access to this data and its copies?” he
argued.


More information about the BreachExchange mailing list