PH: Civil Service Commission data breach, thousands of user details exposed
Art Samaniego reports:
A hacker who calls himself IamNoobie told me that he was so pissed-off with the way government agencies implement security in their websites and servers that he decided to “take matters into his own keyboard”.
IamNoobie noticed that the server of the Civil Service Commission (CSC) has promising results when he Google dorked government websites. Google Dorking is just like a simple search but instead of searching for words alone, the attacker could incorporate functions to get results that may show hidden contents or services. If for example, you want to limit your search results to a certain domain, you need to use the operator “site:” without the quotes, and if you just need to see specific file types, use “filetype:” again without the quotes to limit your search. So if for example, you need to see if there are excel files in government websites that could be accessed, input site:gov.ph filetype:xls in the search bar then press enter. Using this simple search function could give you interesting results.
Using passive scanning IamNoobie found out a bigger problem, the server is vulnerable to multiple vulnerabilities that could allow hackers to take over the server.