Uncovering Vulnerabilities: My Discovery of Hashed Passwords on a Dutch Government Website

I often explore various websites to understand their security posture. Recently, during a routine analysis, I stumbled upon a vulnerability on a Dutch government website that exposed hashed passwords and other sensitive information. This experience not only highlighted the importance of security practices but also the potential risks associated with improper data handling.

*Always see the vulnerability disclosure program and take authorization before pen-testing**

While investigating various public sector websites, I came across a Dutch government portal that provided numerous services to its citizens. Intrigued, I decided to perform a thorough review, focusing on how the site managed user authentication and data protection.

This was found after some subdomain enumeration and some sneaky dorks ;)

Upon examining the website, I started brute-forcing the directories. Now many security researcher might have already done this..

so how do i get the actual juicy data?

AHHHHHHHHHHHH….

think outside the box!!

STEPS:

try to find information through shodan, github, directories from other subdomains, google dorksperform recursive brute-forcing rather than just one directory.

(if it helps you…i found out it had a github repo through sub404, wapplyser, AND LUCK)

this led me to one endpoint and upon accessing it the endpoint, i was surprised to find a JSON response that included hashed passwords.

Hashed Passwords: While hashing passwords is a standard security practice, exposing them alongside usernames can still pose a risk. If the hashing algorithm is weak or if additional vulnerabilities exist, attackers could potentially compromise user accounts.Additional Sensitive Data: The presence of usernames and email addresses alongside the hashed passwords amplified the potential for phishing attacks or targeted exploitation.

To further understand the risk associated with this discovery, I considered several factors:

Hashing Algorithm: The hashed passwords used a bcrypt algorithm, which is generally considered secure. However, the fact that they were publicly accessible raised concerns about potential brute force attacks or rainbow table vulnerabilities.User Impact: With usernames and hashed passwords available, an attacker could attempt to crack the hashes using various methods, potentially compromising user accounts.

Recognizing the severity of this exposure, I carefully documented my findings to report to the relevant authorities. My report included:

Title: Exposure of Hashed Passwords and User Data on Dutch Government WebsiteDescription: An overview of the vulnerability, detailing the accessibility of hashed passwords and associated user data.Steps to Reproduce: A clear guide on how to access the exposed endpoint and retrieve the sensitive information.Impact Assessment: An analysis of the risks involved, including potential account compromise and the need for user notification.Recommendations: Suggestions for remediation, such as improving access controls, ensuring sensitive data is not publicly accessible, and implementing additional security measures like rate limiting.

I submitted my report through the appropriate channels, emphasizing the urgency of addressing the issue. You could do the same by reporting it to them through their cvd.

This experience served as a crucial reminder of the importance of robust security practices, even for government websites that handle sensitive citizen data. Here are a few key takeaways:

Always Review Code and Data Access: Regular audits of endpoints and data exposure are essential to identify potential vulnerabilities.Sensitive Data Handling: Even hashed passwords should be treated with caution. Ensure that sensitive information is not unnecessarily exposed.Collaboration and Responsiveness: Reporting vulnerabilities responsibly can lead to positive changes and improved security measures for organizations, ultimately protecting users.