The site, which can be found at the insecure non-HTTPS URL http://deloittehackeriq.com/, makes its YAML configuration file publicly available. The file contains the user name and password of the site’s mySQL database in plain text.
The site invites visitors to “Test your Hacker IQ” by entering a username. It then asks a series of multiple choice questions about the techniques that hackers use to obtain company information. The questionnaire does not deal with the possibility of publicly accessible passwords.
The bug was discovered on Wednesday by Tillie Kottmann, a Switzerland-based IT developer and consulting firm that uses the deletescape identifier. The website was removed on Wednesday.
The deloittehackeriq.com domain was registered in 2015 by Tank Design, a Massachusetts-based digital marketing company. The website contains a 2015 copyright notice from Deloitte Development LLC.
Kottmann told The Register that the last approval for its .git repository was in 2017 and that it was unclear how actively the website was being used. The website was first captured by the Internet Archive’s Wayback Machine in 2018.
To further increase the site’s vulnerability, the questionnaire is hosted on Ubuntu Linux 14.04, which stopped receiving security patches in April last year and is potentially vulnerable to 11 known bugs.
Kottmann said, “Perhaps it’s worth noting that many websites, including some other larger companies, have .git [repositorios] exposed in multiple domains “.
Source: The Register
Copyright © Grupo Edefa SA Reproduction, in whole or in part, of this article is prohibited without the prior authorization of the publisher.