Accused of Hacking
About 5 years years ago, during a security sweep of a new "app" a
client had started using, I discovered the hosting company's website
had a robots.txt giving the paths of many pages on their website containing
sensitive information.
The whole thing is starting to snowball, so this is my statement.
The "App"
For those that don't know me, I am an IT Professional, providing IT consultancy
services to businesses around my local area of Devon, UK.
I'm generally met with people who are happy to see me and trust my advice.
Sometimes though that is not the case.
My client in question is a medium sized business in Devon. They employ
approximately 70-100 staffmembers and have been in operation for over 60 years.
They are a well known local business.
Due to running a business this size, they naturally have outsourced some
workloads to third-parties, specifically for this case, Health and Safety. They
use the services of a Chartered Health and Safety Consultancy used by many other local businesses.
For whatever reason, this H&S company had decided they could make "apps" for their
clients to assist with entering H&S information amongst other things. Seems like a good idea, sure... but...
...These "apps" are not apps at all, they are in fact simple html index pages linking to various Jotform Forms, Google Sheets, etc. These html index pages are, for the most part, unauthenticated. This means anybody who knows the link to that page can access those forms and spreadsheets.
As an example, if a random passer by on the internet was to go to a URL like https://thecompanyswebsite.com/someothercompany_portal.html
they would be shown a list of links
to various Health and Safety, Vehicle checks, holiday request forms, etc. All of which could be filled out without having to prove who they are.
Why is this bad?
OK, well maybe that doesn't look so bad. I mean, you'd have to know what the path of the page is (the someothercompany_portal.html
bit) right? Well, yes, you would but that
should never be a defense, ever. Even if a URL is difficult to guess (it's not), it does not mean it's impossible.
Robots.txt
Yep, the portal URL may be difficult to guess (they're not), and if it was just that alone things may be OK.
But...
This Health and Safety Company also had to good sense not to let search engines index
those portal pages. We don't want people's sensitive information being indexed by Google do we! Very Good.
Ah...
The robots.txt looks something like this:
There's about 510 lines like that.
(You'll notice I have taken the care to pixelise out the paths. I appreciate
pixalisation can be undone, but due to the fact you'd need to know the base URL
for this to work, and if you had the base URL, you'd have the full robots.txt file
anyway, I feel no further actions on my part need to be taken here.)
For the uninitiated, this robots.txt means that Google, Bing, DuckDuckGo, etc. will never try to index any content on any of those paths. However, this does absolutely nothing to stop a badly behaved or malicious webcrawler/bot - In fact, this file will act as a lovely index to tell that webcrawler/bot exactly what pages you don't want it to see.
Privacy
Once again, on face value this just looks like someone will gain access to fill out forms and be a nuisance to the client business. However, on further investigation I have discovered that some of these URLs contain plaintext information such as names, email addresses, and telephone numbers of staff members. In one particularely negligent case (which I only found today), names of parents and their children, including dates of birth, telephone numbers, email addresses of the parent plus their signatures and names, email addresses, telephones numbers and signatures of that child's sporting coach.
That last case is extreme, but it's there, in plain sight, for anyone who happens to find the right base URL and path of that particular case.
In short, This. Is. Negligent.
What I have done so far
As I say, I first noticed this about 5 years ago, and immediately informed my client, and
the Health and Safety company involved about it. I ended up being invited to a meeting with them all, and explained my findings and told them these pages should, at the very least, be behind some kind of authentication. From this they decided they would put in
some authentication - but only as groups, i.e. office@clientem.ail, warehouse@clientem.ail etc. and not per user.
Shocking. But at least it was something.
Although... it isn't something... they only did it for my client, so perhaps they just
wanted to shut me up. I don't know. But other paths remained without authentication.
As time went on, new "apps" for my client appeared (once again without authentication) and so I warned my client about it again, and again, and again.
Over the last week this has reared it's ugly head again. I once again provided warning to my client with reasons why.
Humourously, my client forwarded my email to the Health and Safety company and their response to it went like the below:
We are in the process of modifying our own internal app and it is not normally
publicly available, and has now been returned to password protection. To of
found the URL for our own internal app would of taken more than bad acting,
and probably more aligned with IT guru / junior hacker.
"Not normally publicy available"?! Well, I've seen it publicly available for 5 years. "To have found the URL for our own interal app ... hacker"!? Erm... no. I've proved already this can be found by anyone just looking around, no hacking required (well, no authentication required, so nothing to hack).
My Actions
OK, they haven't "accused" me of hacking, but it's close.
I have not dignified that email with a response. But, I have reported the Health and Safety company to the ICO, providing links to the robots.txt page
and the direct URL of the page containing parents and child information mentioned above. I'll let them deal with it from here.
However, as the term "hacker" has been used, and I am very aware of court cases that have happened where a good samaritan trying to help protect people, has instead been victimised and made out to be the "malcious hacker"
because people simply do not understand how the internet works.
So, in the fear something like that could happen to me, this article is my statement.
I ask anyone actively involved in System Administration, Cyber Security, Data Protection, etc. to please get involved and share this article.
If you like, you can join in on this Fediverse/Mastodon thread too.
Thank you for reading. I'm a bad writer and I don't write much, but I really needed to vent this, and put it somewhere for all to see.