Civic service database exposed user data

Civic service database exposed user data Cybersecurity

On Saturday May 30, two security researchers contacted the civic service agency to report that one of their databases was exposed freely on the Internet, without requiring any authentication. In total, the data of more than 286,000 citizens who participated in civic service were exposed by this database. This contained names, first names, date of birth and e-mail addresses, as well as in some cases links to CVs: all data considered to be personal and identifiable data, and which must therefore be protected.

The database was discovered by security researcher Bob Diachenko, as reported by the US site Comparitech. The latter subsequently contacted French security researcher Baptiste Robert (@ fs0c131y) who helped him identify the database in question and contact the management of the civic service. He explains to Zdnet that he first checked the veracity of the data before passing the information back to the office of Gabriel Attal, Secretary of State to the Minister of National Education and Youth, which then allowed him to contact the management of the civic service. The security breach was corrected “a few hours” after contacting, Saturday, May 30, according to Baptiste Robert.

“The leak in question comes from a MongoDB database left open, without authentication,” said the security researcher. “Last Wednesday, a provider of the administration made a configuration error by putting the database online without any authentication measure, which could allow a third party to view the data it contained. ”

According to Diachenko, the database contained different data sets: a first set contained the data of 286,000 citizens who participated in the civic service. This dataset only contained their names and dates of birth. A second set contained 373,000 entries, and gathered the data from the ELISA application: this application is used for the dematerialized management of contracts between civic service volunteers and the companies that wish to employ them. This dataset therefore contained data concerning the participating companies (siret number, contracts and documents) in addition to data relating to volunteers. Finally, a third dataset contained site and intranet connection information, and contained more than a million entries. This dataset contained e-mail addresses, names and passwords of users registered on the platform.

More fear than harm

The civic service agency has been “very responsive” to close the loophole, according to Baptiste Robert. “Yes, their provider made a mistake, but overall the response from the civic agency was pretty good. We have avoided the worst, that is to say the ransom of data by a malicious third party, “continues the security researcher. It is indeed a practice that has become popular in recent years: attackers take advantage of the profusion of badly configured MongoDB databases to delete data and blackmail businesses, leaving a ransom note that offers recover a copy of the data deleted by the attackers in exchange for a few bitcoins.

In a press release relayed by Comparitech, the civic service agency said it had plugged the security hole and alerted the CNIL of this data exposure. The agency says it has not detected any malicious activity and promises a security audit of its systems.

A question remains unanswered for the two researchers: if no malicious activity has been detected, Bob Diachenko nevertheless indicates that an unknown IP address, belonging neither to him nor to Baptiste Robert, has connected to the base given three days before Bob Diachenko discovered it. This corresponds to the date of indexing of the database by the search engine, which could suggest that a third party had located the database in question before the security researchers. We have contacted the Civic Service Agency regarding this data exposure and the article will be updated to add their response.


Rate article
Add comment