A hacker gained entry to inner information and paperwork owned by safety firm and SSL certificates issuer Comodo through the use of an e mail handle and password mistakenly uncovered on the web.
The credentials had been present in a public GitHub repository owned by a Comodo software program developer. With the e-mail handle and password in hand, the hacker was capable of log into the corporate’s Microsoft-hosted cloud providers. The account was not protected with two-factor authentication.
Jelle Ursem, a Netherlands-based safety researcher who discovered the credentials, contacted Comodo vp Rajaswi Das by WhatsApp to safe the account. The password was revoked the next day.
Ursem informed TechCrunch that the account allowed him to entry inner Comodo information and paperwork, together with gross sales paperwork and spreadsheets within the firm’s OneDrive — and the corporate’s group graph on SharePoint, permitting him to see the staff’s biographies, contact info together with cellphone numbers and e mail addresses, photographs, buyer paperwork, calendar, and extra.
He additionally shared a number of screenshots of folders containing agreements and contracts with a number of clients — with the names of consumers in every filename, similar to hospitals and U.S. state governments. Different paperwork seemed to be Comodo vulnerability studies. Ursem’s cursory evaluation of the information didn’t flip up any buyer certificates personal keys, nonetheless.
“Seeing as they’re a safety firm and provides out SSL certificates, you’d suppose that the safety of their very own surroundings would come first above all else,” mentioned Ursem.
However in response to Ursem, he wasn’t the primary individual to search out the uncovered e mail handle and password.
“This account has already been hacked by any individual else, who has been sending out spam,” he informed TechCrunch. He shared a screenshot of a spam e mail despatched out, purporting to supply tax refunds from the French finance ministry.
We reached out to Comodo for remark previous to publication. A spokesperson mentioned the account was an “automated account used for advertising and marketing and transactional functions,” including: “The information accessed was not manipulated in any means and inside hours of being notified by the researcher, the account was locked down.”
It’s the most recent instance of uncovered company passwords present in public GitHub repositories, the place builders retailer code on-line. All too usually builders add information inadvertently containing personal credentials used for internal-only testing. Researchers like Ursem frequently scan repositories for passwords and report them to the businesses, usually in alternate for bug bounties.
Earlier this 12 months Ursem discovered a equally uncovered set of inner Asus passwords on an worker’s GitHub public account. Uber was additionally breached in 2016 after hackers discovered inner credentials on GitHub.