PhilSys exposes the configuration file containing the credential of their email address. This email address is being used to send OTP verification code for users who registers for PhilSys account.
Proof of Concept
- Visit and login to https://github.com/
- Search for
- Search result display public commits for an email config
4. Access the commit and you will get the email credential of PhilSys
This could allow an attacker to access the mail server of PhilSys and potentially retrieve all the email addresses of users.
- Change the privacy settings of your GitHub Repo from Public to Private.
- Never ever include sensitive information such as credentials when deploying something online
The following documents my communications related to the disclosure of the issues I identified in this report.
- April 28, 2021 6:58 pm - I reported the vulnerability
- April 28, 2021 8:35 pm - This is the time I noticed that they already removed the exposed credential.
- April 28, 2021 10:15 pm - Full Disclosure