[BreachExchange] South Carolina capital website had a security flaw that exposed passwords

[Destry Winant]

https://www.cnet.com/news/south-carolina-capital-website-has-a-security-flaw-that-exposed-passwords/

One bad search on the government website for South Carolina's capital
city could've exposed an entire database.

The city of Columbia site had a security flaw in its search tool,
according to independent security researcher Arif Khan. The flaw let
anyone view passwords for the website's database and email protocol
servers, creating a massive potential for abuse, Khan said on
Thursday.

The vulnerability made it possible for someone to "pull sensitive data
out of the Columbia city government's database," Khan said. With
access to the email protocol servers, an attacker could've also
created spoof emails that looked like they'd come from the city
government.

The flaw involved a misconfiguration of the site's search function. If
you searched for a term that couldn't be found in the site's database,
the site would inadvertently serve up an error page meant only for
administrators. I was able to reproduce the security flaw through the
site's search function multiple times, including by searching on my
own name and phrases like "Bazinga."

The vulnerability was fixed after CNET reached out to city officials
about the issue. The Columbia city government didn't respond to a
request for comment, but a representative confirmed that it did
receive the inquiry.

Khan said he contacted city officials in September but never heard
back from them. He reached out again in October, he said, and another
security researcher also publicly contacted the city government in
November on Twitter.

Cybercriminals often target city governments because they serve an
important function and have access to sensitive information. Last
November, the Justice Department brought charges against two Iranian
hackers who caused more than $30 million in damages through ransomware
attacks on cities like Newark, New Jersey, Atlanta and San Diego.

At the end of March, New York's capital announced it was also hit with
a hack. It's not clear if any malicious actors found the vulnerability
on the Columbia government's website, but the exposure had the
potential to cause a lot of harm.