Last year, PhilSys fixed multiple instances that were accessible publicly. You can read more about it here: https://atom.hackstreetboys.ph/philsys-fixes-publicly-accessible-instances/
Last March 19, 2021, PhilSys held an online ceremonial event about PhilSys.
Watch it here: https://www.facebook.com/PSAPhilSysOfficial/videos/535006444135723
As of March 24, 2021, PhilSys registered 25.7 Million Filipinos. (Source)
As a security researcher and concerned Filipino, I decided to perform another checking to PhilSys and I found a publicly exposed source code of PhilSys.
As you can see in the image shown above, the publicly accessible repositories under the GitHub user "Manoprabamp" were updated and the recent one was deployed 30 minutes from the time I discovered it.
This repository contains properties (configs and links), credentials (username, password, secret key, etc.), and other important information about PhilSys.
There were credentials for PMS Database, Authentication Device, Registration Device, Keycloak, and more.
This repository contains deployment scripts and blank database files.
I also found some CSV files containing the following:
- List of Registration Center for PhilSys
- List of allowed documents
- List of Machines including its Hostname, Mac Address, Serial Number, Public Key, etc...
This repository contains Ansible scripts to run MOSIP on a multi VM setup. It may be used for development and testing.
It also contain all secrets (passwords) used in the automation.
If the cybercriminal was able to get this and manage to decrypt it. They can now access the GitHub of PSA because the credential of a github user
philsysdev is also included in the vault.
mosip-infra-dos and mosip-infra-dost
Same with mosip-infra-new but it has a different secret vault and PSA's github account is also included.
The following documents my communications related to the disclosure of the issues I identified in this report.
- March 19, 2021 - I reported my findings to PSA via someone who is working with them.
- March 20, 2021 - PSA removed the exposed source code in the user's GitHub account.
Recommendations to PhilSys
- Inform the third parties developing the platform to never do that again 😅
- Change the GitHub credentials and other credentials stored in the exposed Ansible Secret Vault
- Perform continuous internal checking