howto-disclose

I told NHS Tech Org about secret info they'd left online. They replied with legals.

Late February I discovered two public repositories on GitHub belonging The Apperta Foundation, a health tech non-profit created by NHS England.
Several files in the repo contained things that shouldn't be posted to the internet: usernames, passwords and API keys.
Along with the code there was a compressed database dump that ALSO contained secret info and also API keys for two third-party sites.

The Apperta Foundation had public code on GitHub stuffed full of secrets.

I wrote up what I had discovered as a Security Disclosure. In the document I included screenshots of the repos, described the comments in the code, the contents of the database dump file, and the listed URLs of the third party sites.
I included some notes about published SQLi and RCE vulnerabilities in the version of Laravel framework used by the application.
I emailed the report to Apperta on 1st March at 12:12hrs. In my email I stating that I would keep the materials used to create the report for 90 days (encrypted) before destroying them.
Apperta responded VERY swiftly and thanked me for the report and the materials.
Within the hour the repos were taken down and the portal taken offline.
The following day I saw that the third-party sites that were referenced in the code (along with API keys!) were still available on public URLs without any authentication. I sent a further report and again was thanked by Apperta.

A week later I hear from Apperta's lawyers.

On Monday (8th March) I received a email letter from a law firm acting for Apperta. The solicitor wrote that I had hacked into Apperta's systems and extracted, downloaded (and retain) its confidential business and financial data.
By writing up my discovery and sending the disclosure I had apparently 'committed various civil wrongs, including breach of confidence and statutory duty, infringement of copyright and unlawful extraction.'
As well as accusing me of committing offences under the Computer Misuse Act 1988 and the Investigatory Powers Act 2016 the solicitor demanded that I give a written undertaking that amounted to me admitting that I had acted unlawfully.
We require your immediate undertaking by 5pm today, Monday 8 March 2021. That you have destroyed or will immediately deliver up, all of our client’s confidential business information in your possession whatsoever. Your confirmation that you have not, and will not, publish the data you unlawfully extracted. Your confirmation that you have not shared the extracted data.
We require your immediate undertaking by 5pm today, Monday 8 March 2021. That you have destroyed or will immediately deliver up, all of our client’s confidential
        business information in your possession whatsoever. Your confirmation that you have not, and will not, publish the data you unlawfully extracted. Your confirmation that you have not shared the extracted data.

Don't shoot the messenger.

I replied promptly to say:
On or around October 30th 2019 your client published two repositories of code on the public code sharing website Github. These materials were freely available for anyone to view clone fork or download from that date.

Thank you for making me aware that your client considers the data that they purposefully published on Github in 2019 as private and confidential business information. I trust that they will be notifying the ICO of the data breach.
I provided the following confirmations:
  1. I confirm that I created and shared security advisories with redacted / obfuscated content with your client.
  2. I confirm that I will retain an encrypted copy of the materials as a record of my actions
  3. I will provide a certificate of destruction after 90 days from the date of disclosure.
  4. I confirm that I no longer have a copy clone or fork of the publicly available repositories
  5. I confirm that I have not and will not publish the data your clients made available on a public website or had published on a public URL.
Image

Rob Dyke @robdykedotcom
InfoSec twitter.
So I find an open repo with dump.sql API keys, usernames etc.
I verify the contents.
take screenshots.
I send a security advisory.
Then I get a letter from the lawyers.
This normal?
#infosec #Legal

An unacceptable undertalking.

I received a reply the following morning.
Not only were the confirmations provided unacceptable, the detailed information I provided in the disclosure to help Apperta had been misinterpreted. I did state that Apperta should consider the portal compromised. With credentials and a copy of the database leaked as well as a dependency on a framework with known RCE and SQLi vulnerabilities, I would definitely consider the application compromised!
Later that afternoon another email.
Since we wrote earlier today, it has now come to our attention that you have boasted of your unlawful extraction and also today threatened to unlawfully access our client’s systems and data again.
These are the tweets were seen as intimidating and as a threat to access Apperta's systems.
Image

Rob Dyke @robdykedotcom
Found a public repo with API keys, usernames, passwords, and a database dump.

Notified owners.

Gone now.

The email concluded rather ominously
Our client has a real belief that you pose an imminent further threat and that you now retain its confidential business information and data. You have failed to provide the undertaking requested. Please advise how we may serve your solicitor. If you are representing yourself, kindly confirm.
Our client has a real belief that you pose an
          imminent further threat and that you now retain its confidential business information and data.
          You have failed to provide the undertaking requested. Please advise how we may serve your
          solicitor. If you are representing yourself, kindly confirm

Next...

The next three was 3 months were tiring. Countless emails back and forth between lawyers.
At one point it looked like Apperta were going to apply for a High Court Injunction against me.
Read the press articles and check out the reveal by Sick.codes.
I made a timeline of events and shared some of the emails.
By way of a summary, here are some colourful boxes.

2

Public repos with secret info

500+

Emails between lawyers

£25k

Costs & Legal fees

8

Confirmations / undertakings offered

3

High Court forms

£15k

Go Fund Me Donations (after fees)

5

Press interviews

+1k

Twitter followers

1

Confirmation / undertaking accepted

2

weeks off sick from stress

£5k

Own savings

177

Pages in court bundle