So this is a weird one, during a discussion about port scanning with colleagues i showed them shodan.io. – beautiful website, check it out! I used the IP-range of an other educational institution. While browsing though the result we spotted a reception pillar accessible from the internet. Why?
While playing around with these endpoints i noticed it was possible to request the details of a user. These details include the email of the user, password hash and salt:
I informed the developer their software contained an information disclosure vulnarability and one of their customers was vulnerable over the internet. They were very adequate in there response!
- 22/01/2020: Initial disclosure to vendor
- 23/01/2020: Vendor acknowledged vulnerability
- 25/01/2020: A fix as been deployed & webpage removed from DMZ
- 27/01/2020: A phone call to thank me and goodies were received by mail a few days later