Remember I and at home how the details of payments in favor of the traffic police and the FSSP of site users turned out to be in the public domain payment traffic police.rf, paygibdd.com, gos-oplata.ru, fines.net и oplata-fssp.ru?
Just do not laugh, this is not a joke at all - the same server with the data of the same system was again open to the whole world.
Well, let's go find out...
Дисклеймер: вся информация ниже публикуется исключительно в образовательных целях. Автор не получал доступа к персональным данным третьих лиц и компаний. Информация взята либо из открытых источников, либо была предоставлена автору анонимными доброжелателями.To begin with, let me remind you a little of the chronology of events:
- On 12.04.2019/XNUMX/XNUMX (night), an Elasticsearch server was discovered that does not require authentication to connect.
- On 13.04.2019/XNUMX/XNUMX (morning), a notification was sent to the server owners.
- 13.04.2019/XNUMX/XNUMX (in the afternoon) the server "quietly" was removed from open access.
At the time of the first shutdown of the server, the Elasticsearch indexes looked like this:
And on 21.05.2019/16/00 at about XNUMX:XNUMX (Moscow time), the same Elasticsearch server, with the same (plus new) indexes, again appears in the public domain:
I couldn't believe my eyes when I saw (immediately after the performance at PHDays on the topic of detecting open databases) in the mail notification from our . To be honest, the first thought was that this was some kind of system glitch.
However, no, it was not a glitch and after double-checking everything manually, at 01:25 already on 22.05.2019/XNUMX/XNUMX I again sent an alert to the same addresses as the first time.
Since the first closure, this server was scanned by Shodan 11 times and Elasticsearch was closed on it until May 21st.
Only on 24.05.2019/XNUMX/XNUMX in the morning this Elasticsearch disappeared from public access for the second time. During this time, the indices have grown solidly:
And if you look at the data (only significant information containing personal data of citizens) in the indices for the period from May 1 to May 22, then the picture is as follows:
- 127,525 entries in the index paygibdd
- 49,627 entries in the index shtrafov-net
- 162,282 entries in the index oplata-fssp
- 220,201 entries in the index gosoplata
An example of data from an index gosoplata:
An example of data from an index paygibdd:
Well, the icing on the cake was a letter from one of the addresses to which I sent alerts:
We received your letter about the open ElasticSearch - thanks for the information, the database was closed. The system administrator who reopened access was fired. The legal service is also preparing for submission to the Ministry of Internal Affairs for the Republic of Tatarstan a Statement on the signs of the presence in the actions of the system administrator of a composition under Articles 272 and 273 of the Criminal Code of the Russian Federation.
News about information leaks and insiders can always be found on my Telegram channel "": .
Source: habr.com