OffSec Update (23-27 March 2020)
Progress
- In total, we have found 121 internal Google Groups with insecure permissions and contain sensitive information (PII, financial data, employee private data, all e-tickets for certain airlines, etc). For faster remediation, we were using G Suite admin access from IT to change their permissions setting https://29022131.atlassian.net/projects/SECURITY/issues/?filter=doneissues&orderby=updated%20DESC&keyword=google%20group
- Note: This Google Group issue is a major issue from offensive security perspective and long-term solutions need to be considered.
- New issues
- SECURITY-501: Exposed Java Debugger leads to the takeover of a Finance server with admin privileges (Resolved)
- SECURITY-532: IDOR Detail TNC (
/v2/post-issuance/refund/pre/detailed-tnc) (Unresolved)
Plan
- Find and classify sensitive data in Confluence and Jira Dashboard.
- Work with SOC & IT Team for protecting Google Groups (channel gsuite-security)
- Further test on General Refund (Airport Transport, Car Rental, and Experience)
- Further test on coupon system
- Continue security research as usual
Blockers
- Other team's priorities blocked some of our efforts
- Site Infra have more urgent priority for their projects and our AWS scanner project is still in-review.
- Accommodation team still busy so reschedule flow vulnerability is still not fixed.