Case 1: Source Code Leak on GitHub
Xiaomi VPN leak: Xiaomi VPN account passwords have been confirmed to be compromised, allowing unauthorized logins. For more details, visit [this link](https://wy.zone.ci/bug_detail.php?wybug_id=wooyun-2014-076482).
Security Risk [Fixed]:
- Email account passwords were leaked in GitHub code (https://github.com/**/**/blob/**/PswHelper/src/com/example/pswhelper/GridActivity.java). After logging into the email, you could find Youdao Cloud Note account passwords, which further revealed VPN account passwords.
- Email accounts can be used to reset passwords.
- Email accounts can be used to send phishing emails with attachments. When employees click the attachment, the attacker can gain control over the employee’s computer.
Security Recommendations:
- Regularly check GitHub, GitLab, and other code platforms for company-related code to find any sensitive information such as account passwords (login accessible) or backend code (auditable zero-day vulnerabilities), and contact the relevant people for remediation and removal.
- It is recommended to use two-factor authentication, such as SMS verification codes or dynamic tokens. For applications unable to use two-factor authentication, enforce regular password updates by users.
Case 2: Source Code Leak on GitHub
Information leak at Minsheng e-commerce leading to a mass employee information leak (Part 1) https://wy.zone.ci/bug_detail.php?wybug_id=wooyun-2014-077513
Security Risk [Fixed]:
- Email account passwords were leaked in GitHub code (https://github.com/**/**/blob/**/service/mail.js). After logging into the email, SVN account passwords could be found.
- Email accounts can be used to reset passwords.
- Email accounts can be used to send phishing emails with attachments. When employees click the attachment, the attacker can gain control over the employee’s computer.
Security Recommendations:
- Same as Case 1.
Case 3: Website Backup File Source Code Leak
Changjie Tong website source code download https://wy.zone.ci/bug_detail.php?wybug_id=wooyun-2014-066740
Security Risk [Fixed]:
- A certain Changjie Tong website (http://**.**.**.**/Exam.rar) leaked website source code.
Security Recommendations:
- Prohibit storing website source code or other unrelated content in the web directory.
Case 4: Website Backup File Source Code Leak
CITIC certain business database configuration information leak https://wy.zone.ci/bug_detail.php?wybug_id=wooyun-2014-076966
Security Risk [Fixed]:
- A CITIC Bank website (http://**.**.**.**/MallWeb.zip) leaked website source code, and the configuration file (\WEB-INF\classes\conf\serverport.properties) exposed account passwords.
Security Recommendations:
- Same as Case 3.
Case 5: Social Engineering Database Leaking Personal Account Passwords
Home Inn Hotel OA system password leak https://wy.zone.ci/bug_detail.php?wybug_id=wooyun-2014-059458
Security Risk [Fixed]:
- Used Google syntax “inurl:mail site:homeinns.com” to get the email system login address: mail.homeinns.com;
- Used social engineering database search “@homeinns.com” to get account passwords: xj**@homeinns.com/22****3, but no valuable information was found after successfully logging into the email. However, phishing emails with attachments can be sent for spear phishing attacks. Once employees click the attachment, attackers can gain control over their computers.
- Used Google syntax “intitle:login site:homeinns.com” to get the OA login address: oa.homeinns.com. Used email verification code to reset password, logged in to view the address book, and obtain personal information of all company employees.
Security Recommendations:
- It is recommended to use two-factor authentication, such as SMS verification codes or dynamic tokens. For applications unable to use two-factor authentication, enforce regular password updates by users.
Case 6: Social Engineering Database Leaking Personal Account Passwords
58.com admin password leak (big data) https://wy.zone.ci/bug_detail.php?wybug_id=wooyun-2014-054654
Security Risk [Fixed]:
- Used Google syntax “site:58.com inurl:profile 管理员” to gain access to the internal forum site https://**.**.58.com/ with admin user id: j****7;
- Used social engineering database search “j****7” to obtain account passwords: j****7/19****13, successfully logging into the internal forum and gaining admin privileges.
Security Recommendations:
- Same as Case 5.
Case 7: Social Engineering Database Leaking Personal Account Passwords
19 Lou Inside Network Adventure https://wy.zone.ci/bug_detail.php?wybug_id=wooyun-2014-073687
Security Risk [Fixed]:
- In Baidu Wenku (http://doc.baidu.com/view/7826b53c580216fc700afdab.html), a document named “FOXMAIL User Guide” from 19 Lou Network Corporation was found, leading to the identification of the uploader eth****90 as a 19 Lou employee;
- Used social engineering database search “eth****90” to gain account passwords (**飞(eth****90) **xf-1983 1838**@qq.com);
- The obtained account password can log into both the 19 Lou company’s email system (https://**.**.**/extmail/cgi/index.cgi) and community forum (http://**.**.**);
- Searched for sensitive information in emails and forums, eventually obtaining account passwords for multiple systems such as OA, DW, Love, Mantis, SNS, OMWIKI, redmine, Review Board, and successfully logged in to the security audit backend;
- Continued searching for sensitive information, obtaining the VPN account password and successfully connecting to the VPN to access the intranet. Using vulnerabilities like Struts2, gained shell access and escalated privileges to system administrator. Mimikatz successfully retrieved domain controller account passwords, compromising nearly a hundred computers in the intranet.
Security Recommendations:
- Same as Case 5.
Case 8: Baidu Wenku Leaking Account Passwords
Sinopec information leak can log in email VPN (crisis of internal employee sensitive information) https://wy.zone.ci/bug_detail.php?wybug_id=wooyun-2015-0125660
Security Risk [Fixed]:
- The Sinopec document found in Baidu Wenku titled “** System Login” mentioned that the default password for emails is the same as the account. Collecting Sinopec email accounts online and using the same account password resulted in successful email login. Further inspection of the contact address book led to logging into the emails of numerous employees, including company leaders and key positions.
Security Recommendations:
- Regularly check Baidu Wenku for company-related documents to find any sensitive information such as account passwords (login accessible), and contact the relevant people for remediation and removal.
Case 9: Baidu Wenku Leaking Account Passwords
A certain document library leaks a provincial system SSLVPN account https://wy.zone.ci/bug_detail.php?wybug_id=wooyun-2015-0130298
Security Risk [Fixed]:
- Baidu Wenku leaked a document “Family Planning Technical Service Management Information System” (http://wenku.baidu.com/view/f16aed9adaef5ef7ba0d3ca7.html), which mentioned VPN default account and password.
Security Recommendations:
- Same as Case 8.
Case 10: Baidu Wenku Leaking Account Passwords
Utilizing Baidu Wenku for fast penetration into internet enterprises https://wy.zone.ci/bug_detail.php?wybug_id=wooyun-2014-065523
Security Risk [Fixed]:
- Searching in Baidu Wenku with keywords like “user password http://oa” and “initial password http://oa” revealed a large amount of sensitive information;
- Using a specific company as an example, obtained account passwords for the Jindun Firewall and logged in successfully.
Security Recommendations:
- Same as Case 8.