IFEP - Data Breach
Official Publication: ENTRYRISE S.R.L
Scope: Public notification on data breach and incorrect handling of breach
Date of the breach: February 28, 2023
BREACH Details:
- 37,483 lawyer personal identification numbers (CNPs), and work email addresses, full names, bars associated to.
- Risk of account theft on IFEP
- Risk of deanonymizing votes for Bar Association votes.
RISKS:
- Account theft (IFEP)
- Risk for deanonymization of Bar Association Dean votes through IFEP platform.
Update #1: 01/06/2024 00:48
Release Details
On February 28, 2023, IFEP, a platform built in collaboration between Intra Connect SRL and and UNBR (The national bar association)
With the following information made public:
- Full Name: Identifying all lawyers registered at a bar in Romania.
- Personal Numeric Code (CNP): A unique identifier containing sensitive data such as birth date, gender, and county of birth.
- Work Email: Emails submitted by the bar association to lawyers.
- Legitimation Number: Serial number for legitimation, which could've been directly inferred via a tool on the IFEP site.
Vulnerability Difficulty - Low
The vulnerability affected an openly accessible, and Google-indexed endpoint, allowing attackers to download a list of all lawyers, their corresponding bars, their work addresses, and associated PIN (CNP).
The endpoint:
- Lacked any authentication or authorization measures
- Shouldn't have been publicly accessible, as it's not used on the IFEP application.
- Was publicly visible and indexed by Google Search.
Steps Taken
We immediately reported the fact that a private endpoint was indexed by Google, as well as the fact that it allowed unauthorized access to private information, to the helpdesk email associated with IFEP.
We verified A fix has been implemented within a day since the notification of the vulnerability..
We have not received any notification from UNBR, IntraConnect S.R.L, or any other responsible entity to detail the taken steps.
We have not noticed any official disclosure from UNBR on the extent of the data loss.
The date of the vulnerability being discovered coincides (but is unrelated to) the date of the proposal to construct a UNBR cloud for lawyers, and it is possible that the vulnerability was not disclosed to prevent escalating an already tense discussion topic inside the profession.
We found the vulnerability when researching the data processor as well as the manager and owner of the IFEP site, in the context of the lack of transparency being discussed in regard to the legislative proposal mentioned above.
Similar to our previous release of the identification, reporting and non-reporting of the breach regarding the CECCAR accountants database, today we present a similar yet more restricted case, affecting all Romanian lawyers.
Unlike the CECCAR breach, this one is more limited when it comes to identity theft due to the reduced scope of affected information.
In addition, due to the nature of legal professions, we believe data such as personal identification numbers (CNPs) would already be available to customers. However, consensually, so we believe the risks are slightly lower.
While this vulnerability is also low effort since it involves accessing a publicly indexed, and previously openly available, unauthenticated endpoint, it requires manual interaction by an attacker to exploit this vulnerability.
The CECCAR vulnerability previously reported led to unauthorized data disclosure of almost all data present on a personal identification document, with data sent to both normal and malicious users of the application.
Unlike the CECCAR breach, we believe this one is significantly less likely to have been abused in the wild.
Breach Period
While we were unable to validate the extent of the vulnerability, we believe the breach existed since the initial IFEP development, which we traced to at least April 2021.
We estimate that the vulnerability was not found, abused in the wild, nor disclosed for at least two years.
Risk assessment and CVSS details - 5.5/10
The vulnerability was assessed based on criticality, impact, and exploitability using the CVSS scoring metric, with an estimated CVSS Score of:
- CVSS Base Score: 7.5/10
- Impact Subscore: 3.6/10
- Exploitability Subscore: 3.9/10
- CVSS Temporal Score: 7.2/10
- CVSS Environmental Score: 5.5/10
- Modified Impact Subscore: 1.8/10
- Overall CVSS Score: 5.5/10
GDPR report
We haven't been able to find any open report or disclosure to comply with GDPR requirements of disclosure.
While the GDPR Regulation provides an exclusion to required disclosure in cases of low risk of infringement of personal rights, we believe it's transparent to notify involved parties of the risks, and the steps taken, even more so in a domain where people care about the privacy of their data.
INCORPO.RO - OFFICIAL RELEASE
We believe that everyone should be aware of the extent to which their data is processed. While we are pro-processing and are ourselves a platform that uses analytics to help shape our products, we believe this should be done responsibly and with proper disclosure.
With no action being taken to notify the involved parties in almost one year, and the recent disclosure of the IFEP data leak, we believe it's only reasonable to disclose to the involved parties the risks they were exposed to.