Bong Go website disfigured, hacker lobbies for vulnerability disclosure program – Manila bulletin

0


Senator Bong Go’s website was hacked the same day the senator announced his withdrawal from the presidential race. Pinoy GrayHats, a Filipino cybersecurity group, informed MB Technews that a team member discovered a serious vulnerability on the senator’s website. After a few hours, we received an update indicating that Personally Identifiable Information (PII) of volunteers for Go’s presidential candidacy could be exposed and the site was disfigured.

Senator Bong Go’s website.

Pinoy GrayHats, however, claimed the hack was not a targeted attack. The site https://kuyabonggo.ph appeared to have multiple vulnerabilities in the automated passive analysis performed by the group. After discovering the security holes, the group then exploited the misconfigurations of the website, carried out SQL injection attacks and installed a backdoor to gain full control of the site.

A member of the group also informed MB Technews that he did not intend to exfiltrate any content on the site. They even put measures in place to secure the server and its content from other hackers who might attempt to download the sensitive information.

“We have solved the issue of broken access control that allows any user to bypass and access endpoints even without proper authorization. A member of Pinoy GrayHats told MB Technews.

The disfigured page

“While we have not specifically targeted Senator Bong Go, we believe he is the right person to listen to our concern once we show him that we are doing this for good.” the group, says. “We hope that as we show the right senator the dangers of the vulnerable site by exposing personal and sensitive data, the government will support cybersecurity professionals by pushing vulnerability disclosure programs for government websites and servers. . ”

Earlier this year, MB Technews reported the call from Filipino cybersecurity professionals to businesses and government agencies to have a working vulnerability disclosure program or VDP.

According to Bugcrowd, a participatory security platform, a VDP is like neighborhood watch. It encourages people to report something if they see suspicious activity. For example, if you saw your neighbor’s front door open, you would want to let them know. But if you don’t have your neighbor’s contact details, how would you know? Vulnerability disclosure programs provide a way to report potential security risks in a formal and consistent manner and provide a channel for knowing that someone has received the message.

Here in the Philippines, when hackers and IT pros discover vulnerabilities in a website or server, it is almost certain that they will not find anyone to send the report to. With the rate of whitehat and other cybersecurity enthusiasts finding vulnerabilities in Filipino servers, having a channel to report them is crucial.

As of this writing, the degraded website is still live at https://kuyabonggo.ph/assets/ and https://kuyabonggo.ph


Share.

About Author

Comments are closed.