How did I access the personal data of 140,000 employees of a transport company?
This is my first write-up, feel free to give me feedback on Twitter (@thibeault_chenu) or in the comments to help me for the futur. 🙂
Introduction
During one night last summer I was interested in the security of a popular transport 🚌 company in France.
I usually start by looking at the company’s main website to find out what technology (Wappalyzer) is being used to perform different audits:
- Is there a login or registration area?
- Is there an admin dashboard?
- Which plugins are used in the case of a CMS? In which versions?
That night I didn’t find anything interesting except for the fact that the website is a Drupal. I will systematically try to get the subdomains using different tools like Sublist3r.
This search will be fruitful because I will find no less than 111 sub-domains.
After a logical sorting I am interested in two sub-domains yy.xxxx.fr & admin-yy.xxxx.fr
Analysis of the sub-domain : yy.xxxx.fr
This sub-domain concerns the works council, the first black point is that this type of internal site should only be accessible to the company’s employees.
We find events, hobbies, trips etc. at reduced prices for employees.
This site uses EZ Publish (5.x.x), so there is a login page on http://yy.xxxx.fr/user/login.
For access to this platform, you need an identification number and a password and you cannot create a new account without an administrator verification.
I could have looked for an identification number because several people have posted pictures of their fines on Twitter for example, on these fines is the identification number of the agent who sanctioned the person.
Once the identification number obtained I could have made brute force to try to access the platform because it had no restrictions (CAPTCHA or WAF etc.)
But this method is not something I like, it’s not interesting enough so let’s move on to the other sub-domain. 👀
Analysis of the sub-domain : yy-admin.xxxx.fr
As you may have guessed, this site is the EZ Publish administration of the previous sub-domain. 😏
Oh, it is possible to create an account.
I was able to bypass the verification to create an account, if I try to log in to yy.xxxx.fr it works fine.
My “Test” account is connected and I have access to the whole platform.
Once logged in, we can modify our account information via this URL: yy.xxxx.fr/content/edit/11111111
Immediately I think of an IDOR flaw when looking at the URL, if I change the content identification (11111..) I access another content…another person’s account.🤦♂️
Knowing that the company has about 140,000 employees, I only have to decrement the identifier by -1 each time to access and update the data for ALL employees.
We find there:
- Lastname
- Firstname
- Street
- Postal code
- Adresse
- City
- Identification number
- Email adresse (professional & personal)
But not the password as you might think on the screen above. (it’s an empty field with a generic password in placeholder)
Let us not stop there.
Administration access
Knowing that we can change a user’s information, we can potentially change an administrator’s password to access the administration dashboard.
He is usually the first user (ID=1).
I was able to access administration through the IDOR flaw and access other types of data.
Consequences
- Access to the information of 140,000 (approximately) former employees or employees.
- Possibility of access to the administration of the site by changing the administrator password.
- Possibility to change the password of each official and thus have a possible impact on other areas of the company (assumption)
- Possibility to perform phishing via the email from the works council site after having had access to the administration panel.
The company was alerted and corrected the problem by restricting access to the domain: admin-yy.xxxx.fr
Thank you for your reading ! 😇