US Developer’s Workstation Exposed State Department’s Network Data, Researchers Find

Long-time Slashdot reader chicksdaddy writes: Sensitive systems and data for the U.S. Department of State could have been exposed by a third party development workstation running the eXide software, according to researchers for the hacking crew Sakura Samurai. According to a report in Forbes, the researchers took advantage of a new State Department Vulnerability Disclosure Program to look for security flaws in one of 8 wild-carded State Department domains included in the program. Using automated tools to do reconnaissance on one of the subdomains the State Department had included in its VDP, researcher Jackson Henry discovered a vulnerable workstation running the open source, web based eXide IDE. It was linked to a third party doing work for the State Department and contained a number of serious security holes including Cross Site Scripting (XSS), Remote File Inclusion (RFI), and Server Side Request Forgery (SSRF) flaws. All are powerful weapons in the hands of a sophisticated cyber adversary.

After reporting their findings to the State Department on April 27th, researcher Jackson Henry and Sakura Samurai received acknowledgement of their report on April 29th. The vulnerable endpoint in question was taken offline by the State Department by May 13th. Henry and Sakura Samurai then began working with the State Department on public disclosure of the vulnerabilities, while also communicating with the developers responsible for the open source project to get the flaws fixed, according to communications shared with Forbes.

The discovery of flaws buried in an open source development tool underscores the risks that federal agencies face as more and more government business shifts to the web. “The State Department can’t audit every open source package it uses,” Henry said. “That’s why the VDP is such a big thing (and) a step in the right direction.”

It is also an endorsement of the benefits of a quiet security revolution within the federal government in recent months, as agencies have responded to Binding Operational Directive 20-01, a new requirement from the CISA, the Cybersecurity and Infrastructure Security Agency, that Executive Branch agencies publish and maintain public vulnerability disclosure programs, or VDPs — a kind of front door for bug hunters and “white hat” cybersecurity professionals.