howto-disclose

TL;DR. I discovered secret info on Github.
I also discovered that UK cyber law is broken.

How it started

Late February I discovered two public repositories on GitHub with a similar name to an Organisation I follow. Intrigued, I forked the repo and cloned it. I took a look at the git log. There were approximately 2 years of commits from three Authors to two branches (master and oeportal). Although I didn't recognise the GitHub user that published the repo, the email address of the Authors were familiar.

I skimmed through the code. It looked like a app for business financial management. There were Views for purchasing, receipting, budgets and expenditure. The application was built with an old version of Laravel framework which has SQLi and RCE vulnerabilities. Along with the code there was a compressed database dump. With the database you could get the app running local in a container. From the code you could work out where on the internet the app was running. Some of the Views included content loaded from a third-party site. Several files in the repo contained things that shouldn't be posted to the internet: usernames, passwords and API keys. The database dump also contained usernames, email addresses, passwords (hashed) and API keys for the third-party site.

The Apperta Foundation had two public repos on GitHub full of secrets.

Logo of the Apperta Foundation

Apperta, for those that don't know, was created by NHS England in 2015 and given £500k to support open source projects. At the time Peter Coates, NHS England's Open Source Programme Manager and now a Director of Apperta, told Digital Health News that Apperta would:

'be fully transparent, with information published online regarding where money has come from and where it has gone.'

Public repos were probably not in mind.

Back in 2017 I was part of the group that made NHSbuntu - an open source desktop for the NHS. Apperta made a grant of £30,000 to the project and invited me to join a subcommittee that would oversee development. Subcommittee members have a responsibility to ensure that Apperta policies and procedures are followed and I was provided a copy of the Apperta information security policy when I accepted the invitation.

I found it and re-read it.

It was my responsibility to alert the Apperta Foundation that I suspected there had been a security breach and to provide as much information as possible (including the date, time, application ) to enable the Foundation to investigate and take appropriate counter-measures. Although no longer a subcommittee member, I figured I'd follow the procedure and provide as much information as possible about what looked to be a security breach.

I wrote up what I had discovered, providing screenshots of the repos with notes on the contents of the code and the database dump file, URLs of the third party site, and some notes about published vulnerabilities in the version of Laravel used. It looked something like this (gist and pdf)

I emailed the disclosure to Apperta on 1st March at 12:12hrs. I stated that I would keep the materials used to create the disclosure for 90 days (encrypted) before destroying them. Apperta responded and thanked me. Within the hour the repos were taken down and the portal taken offline. The following day I saw that some of the third-party elements that were referenced in the code (along with API keys!) were still available on public URLs without any authentication. I made a further disclosure and again was thanked by Apperta.

On Monday (8th March) I received a email letter from a law firm acting for Apperta. The solicitor wrote that I had hacked into Apperta's systems and extracted, downloaded (and retain) its confidential business and financial data. By writing up my discovery and sending the disclosure I had apparently 'committed various civil wrongs, including breach of confidence and statutory duty, infringement of copyright and unlawful extraction.' As well as accusing me of committing offences under the Computer Misuse Act 1988 and the Investigatory Powers Act 2016 the solicitor demanded that I give a written undertaking that amounted to me admitting that I had acted unlawfully.

I replied promptly to say:

On or around October 30th 2019 your client published two repositories of code on the public code sharing website Github. These materials were freely available for anyone to view clone fork or download from that date.

Thank you for making me aware that your client considers the data that they purposefully published on Github in 2019 as private and confidential business information. I trust that they will be notifying the ICO of the data breach.

I provided the following confirmations:

  • I confirm that I created and shared security advisories with redacted / obfuscated content with your client.
  • I confirm that I will retain an encrypted copy of the materials as a record of my actions
  • I will provide a certificate of destruction after 90 days from the date of disclosure.
  • I confirm that I no longer have a copy clone or fork of the publicly available repositories
  • I confirm that I have not and will not publish the data your clients made available on a public website or had published on a public URL.
Placeholder image

Rob Dyke

@robdykedotcom

InfoSec twitter.
So I find an open repo with dump.sql API keys, usernames etc.
I verify the contents.
I take screenshots.
I send a security advisory.
Then I get a letter from the lawyers.
This normal?
#infosec #Legal https://t.co/4XlwxoEPCh

I received a reply the following morning.

Not only were the confirmations provided unacceptable, the detailed information I provided in the disclosure to help Apperta had been misinterpreted. I did state that Apperta should consider the portal compromised. With credentials and a copy of the database leaked as well as a dependency on a framework with known RCE and SQLi vulnerabilities, I would definitely consider the application compromised!

Later that afternoon another email.

Absurdly, these tweets were seen as intimidating and as a threat to access Apperta's systems.

Placeholder image

Rob Dyke

@robdykedotcom

Found a public repo with API keys, usernames, passwords, and a database dump.

Notified owners.

Gone now.

Placeholder image

Rob Dyke

@robdykedotcom

I am 100% behind this from @ThatPodcastChap

"Take responsibility or be hacked again."

ESPECIALLY relevant for companies in the open source world.

https://t.co/AsriMUQ692

I suspect the first headline was 'Grow a pair or piss off')


The email concluded rather ominously.

'You have failed to provide the undertaking requested. Please advise how we may serve your solicitor. If you are representing yourself, kindly confirm.'