An EU-sponsored GDPR consulting website managed by Proton Technologies had a vulnerability that allowed anyone to clone it and extract a MySQL database user name and password.
The vulnerability in question made it possible to clone the entire content of the website's /.git/ repository, as explained by Pen Test Partners in a blog post on what he found on the GDPR.eu advice site.
“The irony of an EU-funded GDPR security website is not lost on us,” meditated the security consultancy.
GDPR.eu is managed by Proton Technologies AG, better known as the Swiss company behind the ProtonMail messaging service, which prides itself on being the leader of the pack for everything related to security and privacy. Although it is not an official site as such, it has a prominent header which reads: “This project is co-funded by the Horizon 2020 framework program of the European Union” , as well as a graphic of the EU flag.
Nine Million British Road Trip Logs Spread On The Internet From Camera Dashboard Without License Plate
In the repo /.git/ were the keys to the WordPress realm of GDPR.eu: a complete and complete copy of wp-config.php. In a WordPress installation, wp-config.php is the critical file containing a clear copy of the username and password of the SQL database supplying the entire site. An attacker with this information could erase the site, rewrite its content or disfigure it.
“It is an internal system, so it would not be harmless to compromise it externally unless the password is reused elsewhere,” noted PTP, fairly for Proton Technologies.
A Proton Technologies spokesperson said The register it was a “legitimate finding” while agreeing with the level of severity.
He said: “We were notified of this problem on Friday April 24 and a fix was deployed shortly after. Gdpr.eu is hosted on an independent third-party infrastructure, does not contain any user data and the information contained in it exposure The git folder cannot degrade gdpr.eu as access to the database is limited to internal only, however this is a legitimate discovery as part of our bug program . It is important to note that no personal information is stored on gdpr.eu and at no time was any data sensitive to risk. ”
If you have carefully downloaded your /.git/ repository next to your WordPress website, treat all the information it contains – not just the one in wp-config.php – as compromised and change it immediately, advised PTP . These credits can include, for example, the administrator username and password for installing WordPress. ®
Office 365 client-to-client migration tips