GDPR.EU has er… a data leakage issue

GDPR.EU is an advice site ‘operated by Proton Technologies AG, co-funded by … the EU Horizon Framework’. It’s full of useful advice for organisations that need to comply with GDPR.

Whilst it isn’t an official EU Commission site, it is partly funded by the EU. You may also be familiar with Proton Technologies. They’re the business behind ProtonMail, the rather cool end-to-end encrypted email service.

So imagine our surprise when we noticed a data leakage vulnerability in it!

It ended fairly well though; Proton responded reasonably quickly and fixed the bug 4 days later.

What vulnerability?

It’s an old one: the /.git/ folder is world readable. It’s been written about many times; we even wrote about the issue in 2013: https://www.pentestpartners.com/security-blog/git-extraction-abusing-version-control-systems/

Many of us have the DotGit browser plugin installed. It simply checks whether /.git/ is exposed on a web site.

Occasionally it pops up an alert. One of the team was reading up on GDPR… and it popped up.

How does the issue work?

It’s trivial then to clone the .git repository, as the files are effectively world-readable on the public internet. Google occasionally indexes /.git/ too.

So we get this:

Clearly a WordPress based web site.  ‘wp-config’ looks very interesting:

We’ve removed any sensitive data such as passwords

So that’s the MySQL database password exposed. Oops!

This is an internal system, so it wouldn’t be a trivial matter to compromise it externally unless the password is re-used elsewhere, but there could be other routes:

For example, “Authentication Unique Keys and Salts” are of concern, as these have been used in the past to forge administrative cookies, which could potentially be used to deface or compromise the site.

This is covered well in this blog post:  http://www.securitysift.com/understanding-wordpress-auth-cookies/

Exposing your database and other credentials certainly isn’t wise.

Disclosure

We emailed [email protected] – about 7 hours later they replied:

Thank you for the report.

We do not keep any sensitive information there but our teams will look into this.
We will get back you once we have additional info.

It was heartening to get a reply. Maybe not the best we’ve had from first contact, but at least we had each other’s attention.

There was no reaction to our request for a timeline, but after one working day and a weekend had passed we found that the issue had been fixed yesterday morning.

We don’t expect thanks (years of responsible disclosure has taught us that) but a simple “Fixed” notification from Proton would have been a classy touch.

**Update 28 Apr 2020**

We received the following email this morning, but only after a journalist who had read our blog had contacted them for a response:

Hi,

We apologize for the delay.
After this was fixed we were waiting for our teams to double check and confirm that everything is in order.
Thank you for your report.
Feel free to contact us anytime if you have any other reports.

Best regards,

The ProtonMail Security Team

Thank you ProtonMail.

Advice

Removing the /.git/ directory from all published sites is strongly recommended, in order to prevent exposing sensitive data.

If your site is found to have this folder available, the contents should be reviewed and any password contained in accessible files should be changed as they should be classed as compromised.

Conclusion

Easily found, quickly fixed, so a result all round.

However, the irony of a EU-funded web site about GDPR having security issues isn’t lost on us.