arrow-left arrow-right brightness-2 chevron-left chevron-right circle-half-full dots-horizontal facebook-box facebook loader magnify menu-down rss-box star twitter-box twitter white-balance-sunny window-close
Quick Security & Privacy Analysis of PNP Cyber Watch Website
4 min read

Quick Security & Privacy Analysis of PNP Cyber Watch Website

Quick Security & Privacy Analysis of PNP Cyber Watch Website

On 10th July 2021, I learned that the Philippine National Police's Anti-Cybercrime Group (PNP ACG) released a website application named Cyber Watch. It is an application where you can search if the certain information such as mobile number, social media profile, or email address was reported to PNP ACG.

PNP Cyber Watch Website

Findings

I did a quick security and privacy analysis of the website and notice the following:

  • PNP-001: The website collects Government ID of the visitor/requestor but they never mentioned it in their Privacy Policy. (FIXED)
Form that collects data
List of Information they collect based on their Privacy Policy
  • PNP-002: They don't follow the best practice in security because upon checking they never implement important security headers. (FIXED)
Result of Security Headers check from https://securityheaders.com/
  • PNP-003: They collect and store information but they never mentioned how long they will retain the data of the visitor/requestor. (FIXED)
Privacy Policy of Cyber Watch Website
  • PNP-004: Possible One Time Password Bypass when Searching for data

Based on the searchData function from their source code, if the visitor/requestor's HTTP request returns a response.error == false it will continue the process of searching the data.

But before to that condition statement, it seems like there's a validation that the value of confirmation and otp parameters must match in the backend.

So if you have a previous value of otp and its confirmation then you could use it and just send multiple search data HTTP requests.

Code block for searchData function

  • PNP-005: Missing Web Application Firewall like Cloudflare

Upon checking the website application, my Shodan browser extension reveals some information about the website.

The original IP of Cyber Watch is 54.179.65.9.

It is currently hosted on Amazon Web Services (AWS) and there are 3 open ports.

Port 22 (SSH) - The SSH service is open to public and you could connect to it if you know the SSH credentials. In cybersecurity, this must be filtered or not accessible publicly.

Port 443 (HTTPS) - The HTTPS is the service used to display the website in protected format. (HTTP for unprotected format)

Port 3306 (MySQL) - The MySQL service is open to public like SSH and if you know the credential, you could access the Database of PNP Cyber Crime. Just like SSH, this service must be filtered or not accessible publicly.

If they implemented Cloudflare, it could possible hide the original IP and open ports of the application. Additionally, protect the website from potential Distributed Denial of Service (DDoS).

  • PNP-006: Vulnerable JQuery library (FIXED)

The crime watch website uses JQuery version 3.1.1 which is vulnerable to 3 CVE records.

  1. CVE-2019-11358: jQuery before 3.4.0, as used in Drupal, Backdrop CMS, and other products, mishandles jQuery.extend(true, {}, ...) because of Object.prototype pollution
  2. CVE-2020-11022: Regex in its jQuery.htmlPrefilter sometimes may introduce XSS
  3. CVE-2020-11023: Regex in its jQuery.htmlPrefilter sometimes may introduce XSS
  • PNP-007: Accessible HTML template (FIXED)

They failed to removed the template they used when developing the website. This HTML template could be vulnerable to some web application attacks.

Fixes

  • PNP-001: They now mentioned "Government ID Details" in their Privacy Notice.
  • PNP-002: They now implemented all the missing security headers.
  • PNP-003: They now have "Data Retention" section in their Privacy Notice.
  • PNP-004: I can't confirm the fix since I have no authorization to test it. (I've noticed some changes in the searchData function but more like removing some comments.)
  • PNP-005: I don't see any implementation of Cloudflare. (It's up to them if they want to implement Cloudflare or not)
  • PNP-006: They changed the version of JQuery from the vulnerable 3.3.1 to 3.6.0.
  • PNP-007: They now restrict public users from access the template directory.

Responsible Disclosure

  • July 10, 2021 | 1:51 PM - Sent an email to PNP ITMS and PNP ACG (Copied NCERT and NPC's Compliance Division) about the findings.
  • July 20, 2021 | 5:37 AM - Still no response from them for this specific email but I've sent a reply email to PNP ITMS and PNP ACG (Copied NCERT and NPC's Compliance Division) confirming the fix of 5/7 items I listed above after noticing some changes on the website. I also informed them that I will publish this blog post on Friday July 23, 2021.
  • July 25, 2021 | 4:04 AM - Fully disclosed. (Since most findings were resolved already and the remaining 2 are like 'accepted risk' for them, I decided to publish it.)