arrow-left arrow-right brightness-2 chevron-left chevron-right circle-half-full dots-horizontal facebook-box facebook loader magnify menu-down rss-box star twitter-box twitter white-balance-sunny window-close
PhilSys fixes Exposed Email Credential
1 min read

PhilSys fixes Exposed Email Credential

PhilSys fixes Exposed Email Credential

Description

PhilSys exposes the configuration file containing the credential of their email address. This email address is being used to send OTP verification code for users who registers for PhilSys account.

Proof of Concept

  1. Visit and login to https://github.com/
  2. Search for user:msp-eagle philsys
  3. Search result display public commits for an email config

4. Access the commit and you will get the email credential of PhilSys

Impact

This could allow an attacker to access the mail server of PhilSys and potentially retrieve all the email addresses of users.

Recommendation

  • Change the privacy settings of your GitHub Repo from Public to Private.
  • Never ever include sensitive information such as credentials when deploying something online

Responsible Disclosure

The following documents my communications related to the disclosure of the issues I identified in this report.

  • April 28, 2021 6:58 pm - I reported the vulnerability
  • April 28, 2021 8:35 pm - This is the time I noticed that they already removed the exposed credential.
  • April 28, 2021 10:15 pm - Full Disclosure