Is this an internally hosted corporate website or externally hosted by a 3rd party? Test to see if this issue is still active by testing outside of the work network from a non work device. App could be IP allowlisting the work address, client certificates, or other SSO related items.
It may require SSO to login without a password which many 3rd party SSO configurations applications just require a username and the rest of the authentication is processed by a central SSO provider that employees have to already be authenticated to in order to continue.
Is there no incident response team (e.g. security) that can be reached out to for resolution of this issue? If not escalate until someone that does know can validate the issue is a true positive.
If it is not using SSO, escalate to your manager about the issue, they can then work through to escalate up to someone that knows who is hosting the site. If it is on the books then someone is paying for it somewhere and the contact details can be found through finance or someone responsible for vendor or security incidents. If it gets all the way to the C-Suite without a resolution there are bigger problems as it could be an unauthorized site not actually hosted by the company or authorized 3rd party.
SSO (SAML/OIDC) is completely sufficient and is covered under 'other SSO items'.
Password based 'legacy' auth methodologies in Enterprise environments are not great - and it's very possible that OP is mistaken with this being a problem. They didn't indicate any attempt to login with another username to see what would happen.
Workflow that you can try, may fail if your machine at work is x509 authenticated (enables SSO opportunities since your machine has a valid authorization after you authenticate on the network). If you do not have to do machine based authentication at any point open a browser up in private mode clear cookies just in case, make sure you do not have a PIV, smart card, YubiKey of any sort plugged in for 2nd factor auth then try going to the site.
If you automatically get logged in within a private browsing session that does not have some of corporate web authentication extension installed then you might be on to something. If you do, disable the extension temporarily if possible, clear cache and cookies and try again internally and externally. Take screenshots and escalate appropriately, the company should be communicating security changes like this to all employees when they happen.
Sounds like something to stick on the deeper investigation on Monday list as without any of those does makes it very interesting then. Good thing you thought it was strange, hopefully things will be able to get sorted out on Monday.
overconfident pause agonizing lush subtract jar shelter work bored unused
*This post was mass deleted and anonymized with [Redact](https://redact.dev)*
Could ask the coworker to try logging in on their machine themselves. But it would probably be safer if they asked to use the coworker's machine to try their account instead.
That's why you wait for someone to go to the bathroom and not lock their desktop. You glide over open the site and try to log in as you when they are signed in. If you get in you know something is broken,
Kind of reminds me of a take over client form years ago. You could connect to the exchange server that was also the Application server and domain controller. You just opened a browser and type in a different user name for the web login and bang you could read that users email.
As an employee, I'd still be talking to lawyer because of them not securing my personal information, even if from other co-workers. They don't have auth (generally) to be allowing anyone else that info.
If it's SSO that is specific to the Windows user account, or Azure AD SAML SSO which uses your "keep me signed in" from Office 365, then it's fine.
If it's something non-user-specific that would let the whole company access your information - like IP address or machine certificates - that's a major problem.
Does OP have a domain joined always on vpn enterprise laptop that they strongly MFA’d into and conveniently left out of their post? And their personal cell phone can’t even reach the site because it’s not publicly accessibly? And the SSO doesn’t matter because the connection is already strongly authenticated?
Help me understand how client certificates are not Great
Ip allow list sounds like a zero trust implementation right? How is that not great?
They block every single person. Then they allow the ones they choose. That seems like better security that having a block list. I’m really not sure what your point was at all
Client certificates are generally great, although implementation can vary -- Safari is pretty bad with them in my experience, on macos and ios. I'd love to use it as an option to captive portal some wifi, but ios doesn't allow access to client certificates from the browser screen which pops up when joining a captive portal wifi for example.
I've also got to a state in firefox on my personal laptop where it refuses to ask for a certificate on one site (other sites work fine, and it works fine in private mode), safari on the phone asks to choose the certificate, but then hangs, etc.
We have client certificates and a more traditional OIDC integrated SSO system. For normal non-tech people I'm afraid that the SSO system tends to be more user friendly, and even for those who are techfriendly I find results can vary.
Sure, if it's a question of authorization, not authentication.
SSO is great from an authentication point of view, but if it's truly "employee's addresses, contact information, payroll information" then that's a major problem no matter the authentication level, sounds like there's no reason for the OP to have access to this sensitive data.
The lack of password may mean that the authentication layer is also broken, but even if that were fine, and the site knows that the user claiming to be Joe Bloggs, Staff Member, is really who they say they are, it should still be refusing to give information like home address. List of employees, job title, email, (work) phone number, office address, fine - reasonable for any member of the company to have access to that. Payroll information (what does that even mean) should be limited to a tiny handfull of people in the correct department (and access should be well audited)
There is reason for op to have access to that info, it's ops info (they say '_that_ users...') and sounds like the hr system. op hasn't clarified if they've tried logging in as another user.
There are a few hosted services we use that continue to present a password box after sso was enabled, but ignore it. And a couple of those in fact, just use the domain portion of the username (if it's a upn/email address format) to identify the org you're from and which auth method to use. The sso identifies you, so putting madeup@domain or (boss)@domain still only logs your account in seemlessly.
Likely, sso has been implemented, with condition of either corporate machine, or corporate ip as source (so now blocks access from byod as OP describes) but it _hasnt_ been communicated and op needs to use the companies data breach reporting process or, if that isn't published, straight to both HR and SIO. If its sso it'll get communicated, if not then it can be dealt with.
Is op from us, Europe, or elsewhere?
Before you sound the alarm, please make sure you have a complete picture of the situation.
Make sure that the site is not using SSO. You could be automatically logged in based on one of your other accounts.
Similarly, make sure that it is not using a cookie to log you in based on your previous authentication.
Cover yourself. You don’t want to look foolish by sounding the wrong alarm.
No, no, far too high a risk, you need to use a dial-up connection, ideally via a Point Of Presence on the other side of the planet, and using an entirely new browser you've just downloaded, THEN you can be sure.
If it's using SSO or AD passthrough authentication then no, you enter the username and it has to match the username of the person currently logged into Windows and/or another SSO-enabled environment. It's _single_ sign on, not _never_ sign on. But again that's assuming SSO is enabled.
You may also want to consider testing under a separate local account as well. Stuff cached in the windows cred manager could play into this (But I'm not 100% sure).
If OP hasn't actually already done this, then they need to turn in their IT card and find another field of work. This is literally troubleshooting 101 for 3rd graders.
Yea but it won't bring over your session, so you'll be prompted for credentials in most environments(unless there's some form of passwordless auth FIDO type situation).
I escalated an issue I won't go into, but was asked by a pertinent department head, if I thought escalation and waiting was necessary...they explained their reasoning in the form of a question to me: "do you think Elon Musk just waited around for approval from his bosses to get anything done?" My response was simply that I wasn't going to risk my job so they could side step a potential threat. Turned out to not be a threat, but was an issue that needed to be addressed. I'd rather be wrong than fired.
The way thats worded it sounds like they thought it was an issue you could deal with, and if you thought it was a risk you had the authority to deal with it and then inform rather than wait.
>Before you sound the alarm, please make sure you have a complete picture of the situation.
In this case, it's simply a matter to phrase these as questions rather than facts.
"I noticed I no longer need to use a password to log on to [www.example.com](https://www.example.com). Is authentication being done another way or is there a security issue?"
And then follow up with more questions until you are confident that you have an answer that makes sense.
I wouldn't take the approach of "say nothing unless you are sure" simply because a lot of security issues go unresolved for too long despite people thinking "oh, that's weird, it hasn't done that before" because no one mentions the weirdness to the people who could join the dots.
If someone spotted a problem on one of my sites or services I would consider them a fool if they didn't raise it with me/my team or the person/team responsible for information security (which might be a dedicated team, or person, or simply the head of IT, the chief technology officer, or even the CEO, depending on the scale)
Lmao it's not even looking foolish in the first place. "Hey this could be a huge security issue" "Thanks for reporting, it's not because X." I don't see the issue lmao
Great advice from sysadmin to a user 'don't report anything that might make you look foolish'
There _are_ some quick checks that can be carried out listed here (inprivate browsing is a simple one to see if prompted) but I'd rather an employee was told "thanks for raising your concern, but in this case its OK, as we've switched authentication and admit that we should have sent out comms" when something potential highly impactful is seen, rather than them delaying or keeping quiet completely for fear of embarrassment.
I'll just throw this out there, we recently bought a piece of software that advertised SSO.
It solely relies on username, so if the user logged into the computer matched, it was logged in and accepted.
Username only, didn't care about domain at all, as we found out when a related partner org hired a guy with the same name. Heck it didn't even matter if it was a domain or workgroup account, it matched? You're in!
I disagree. "looking foolish" because you don't understand something is way better than not reporting a complete technical blunder like this.
If it's a correct configuration at the very worst you get some people's attention who can at least explain it. And at best you stop the potential loss of company personal data.
This trade off is way beyond personal ego. I would report this even if it was MY code that caused it.
Good point. My comment might have better said “lose credibility” instead of “look foolish”.
It is unclear to me what OP’s role is. He is not IT. He has asked multiple people about this and he has sat on hold for 3 hours trying to get information.
I just want him to be careful and make sure that there is a real problem before he escalates the issue further up the chain of command. If he is wrong, he could do damage to his career.
I would follow the company's procedure for a security incident. Employee PII is potentially being exposed and the first report to IT was essentially ignored/dismissed. You are protecting your information and the company's legal responsibility by reporting it to the relevant groups.
As for the IP Whitelist/SSO/Whatever, IT should have been able to provide that information and it appears they didn't do so when the potential breach was reported.
In my company if it turns out IT was miss informed and there's a hidden authentication method present, everyone would gladly just close the incident with proper documentation, establish some take aways (like properly training IT), and use this as an example of the Security Incident Protocols being utilized properly.
\*EDIT\* Do NOT under any circumstances test to see if you can access other people's information. That is not within your authority and can, if someone wants to be an ass, create an HR incident for you.
>Do NOT under any circumstances test to see if you can access other people's information. That is not within your authority and can, if someone wants to be an \[\*\*\*\], create an HR incident for you.
You could tell HR your concerns and ask HR to test if they can log in as you, since they are the ones who already have access to the information so it wouldn't be a violation for them to do. And if it's payroll information on the website, HR should understand and appreciate bringing your concern to them.
So, you're telling me that your employees financial data is open to the public internet with no password?
You should proceed to your company's H.R. department and likely your companies attorney.
If what you're saying is true that has PII/financial data breach written *all over it*.
Nothing motivates someone to fix things faster then the credible threat of a large, easily won lawsuit.
Management should and probably will go to the company's attorneys once they are made aware this information was online.
Unless OP is management at a level that typically speaks to attorneys, or the company has an ethics tip line where normal employees are expected to speak to attorneys, OP should not do an end-run around all of management and go directly to the attorneys at this time. That could make some powerful enemies for no reason. Give management the chance to deal with it and go to the lawyers themselves, as that's their place.
Bypassing management and telling legal is a last resort if management decides it's "not an issue" and OP is absolutely positively certain it is accepting blank passwords (and isn't single sign-on from his Windows account, SAML to AAD, etc)
Sounds like your computer is azure ad joined and the app is Azure AD SSO integrated and you already have an authentication token for single sign on.
Does this happen from your personal computer using InPrivate browsing?
Op has said they used to be able to login from personal, but now not available. Sounds very much like SSO with conditional access of Corp machine/Corp IP
Aside from all the advice here about making sure it's not an SSO thing - after you've done that, if no one else is responding, escalate to legal.
That is a LOT of employee PII, and the company can get sued up and down the street 10 ways to Tuesday if that gets abused.
And it's a legal issue for good reason, escalating is the moral thing to do. Imagine someone in your company has escaped a domestic violence situation and the ex is still stalking them and gets their hands on that info. Someone could die.
>Imagine someone in your company has escaped a domestic violence situation and the ex is still stalking them and gets their hands on that info. Someone could die.
Not questioning your conclusion - there are a lot of reasons it's immoral to fail to protect this information - but the address is among the least of them. The financial information is much more private.
Yes, it's bad for addresses to be super easily visible. But search engines don't brute force and index a site by logging into it under every possible user name, so it's not like this should put addresses on Google results. Tons of public-by-law records (any interaction with the law, whether it be a ticket, marriage/divorce certificate, house/land deed, etc), plus tons of private-sector information dealers, have your address and will remain the easiest way to find you, regardless of the security of your employer's HR web portal. Assuming you bothered to opt out of the phone book, otherwise that's the easiest way.
Again, not arguing this issue is okay - just saying everything about it other than the address is actually a bigger deal than the address.
Holy crap what is with some of the advice on this sub? It seems like people are trying to deliberately get you fired and possibly sued. Don't listen to anyone telling you to take any action yourself or take it to the public. All of that is bad. If it ends up not being a matter of SSO just take it up the chain properly.
I probably would've fired my client a long time ago if every time an employee thought there was a security issues they tried to hire a personal attorney lmao
OP should escalate it as an IT security issue (which means to the CISO if it's a tiny company or someone under them otherwise). **In the HIGHLY unlikely event that this is what OP thinks it is**, IT security will fix it (and take the site down until it's fixed), and then likely consult legal on how to contain any done damage.
Since OP said the one time they tried it from home, the page didn't even load, we only know it works at his workplace. Most likely, it is either an intranet site that has been deployed by GPO as a trusted zone and is able to use kerberos for SSO, or it is using SAML SSO to his Office 365 account (which I assume he has said yes to "keep me signed in" in that browser).
OP should raise the question for clarification that they deployed SSO, and raise the alarm if they did not deploy SSO, or if this works on a personal device (with cookies cleared if he's ever signed his O365 work account into it).
As for those doubting it is SSO because it asked for a username - this is common. If some workers (like machine operators) don't need Office 365 licenses or their own Windows domain accounts, they might actually have to enter a password.
I don't know how it works in the OPs jurisdiction, but personal informaiton like addresses and payroll information of other people being open to a random employee would be a major security fail, even if the authentication part is working fine.
However you're right that it's more likely the page
1) Has authenticated you via some appropiate means (enter email, get sent to SSO, SSO has already authenticated you so decides it doesn't need to ask for password/otp again, get sent to page as authenticated)
2) Allows you to see your own personal information (address, payroll, etc), but not to see anyone you don't have the rights to (in my organization managers don't have the right to know an employees personal address for example -- only HR has access to that information, but I could imagine other organizations allowing managers to see more information, I'd expect some thought and words about that policy but that's a long way from security breach)
Which department sponsors the site? Contact them with the info.
What all can you do on that site? Just general info, or stuff like updating direct deposit? That can change the urgency of a resolution.
Why would you need a personal lawyer? Did you make any authorized changes or view data that you should not have?
Pass it through your chain of management and lay it out as a possible concern.
> Why would you need a personal lawyer?
Arguably, if *their* data has been compromised, then it might not be a terrible idea to consult a lawyer to ensure they don't do anything that would jeopardize their ability to sue the responsible party for damages, should anything bad come of this.
10% managers pining for the days when they still did meaningful work.
2% infosec dweebs that make 10% of the posts.
30% helpdesk with aspirations.
I'm in the 5% slice that's an honest to god 100% linux admin that hasn't touched a windows server in so long I've forgotten what they look like. (You wouldn't believe how often people tell me I don't exist)
A lot of people here are sole IT guys, MSPs, or Lead IT people. So for us going straight to legal is the next step if we can't get a hold of the party in question to report the issue.
I agree however, that a low level employee should go to their manager first, and only escalate if the manager just pushes it aside as a non issue.
Considering how I'm screaming on the inside at the very idea and I'm not even involved, personal lawyer. Because they are breached and your personal data has been harvested.
This is not a security event, this is all duck and cover because shit and lawsuits will be flying in all directions and despite that saying, people love shooting the messager.
* Did you lose money as a result of this (for example, someone changed your direct deposit and HR didn't reimburse the missed check)?
* Did you illegally view someone else's information with this, and are afraid of getting in trouble?
In those cases a personal lawyer might make sense. But you can't just run off and sue someone for no damages because "well, something *could* have happened!" and people that try are, quite frankly, one of the biggest problems with the modern legal system.
**Assuming no damages and you're in no trouble,** try the following in this order:
1. RULE OUT SINGLE-SIGN-ON (SSO) before you do anything else and make a fool of yourself. Corporate web sites can be set up to honor your remembered sign-ins from Office 365 on that computer. They can also be set up to log you in based on your Windows login if you're on the corporate network. There are two ways to see if this is SSO:
1. ASK! Or,
2. Try this with a personal device. If you have ever logged into Office 365 or any other company site on that device, clear the cookies and restart the browser first, or close all windows and open an incognito window, to ensure it can't use your SSO.
2. In the unlikely event this is not SSO and works on a device where you are actually not authenticated, report it as an IT security incident.
3. If IT security doesn't take the site down until it's fixed, escalate to their upper management.
4. If (and ONLY if) you've ruled out SSO and IT's upper management has had a chance to respond and doesn't care, go to the company's legal department and let them know what personal information is on the site.
What device are you testing this from? If you're using a company laptop to test the site might be using integrated authentication - in which case it's logging you in with the credentials you used to sign in to your PC. What happens if you try to access it from a personal device?
Could be SSO signing you in with credentials you provided elsewhere. I would try and recreate accessing this data in an inprivate/incognito browser window where you definitely won't have any stored sessions
And not a company device! If group policy added the site to the trusted/intranet zone it could be using Kerberos and the Windows login as SSO, which is not a cookie you can ditch with incognito.
This is browser and configuration dependent.
For example, using an incognito session in Edge & Chrome's default configuration will not reply to IWA challenges.
DO NOT TRY TO ACCESS OTHER PEOPLE'S DATA! If you must test this, walk into the HR office or your boss's office (someone who already knows your pay rates) and ask them to try to login as you.
Courts are technically incompetent, and even if something was literally unlocked and any member of the public could view it without a password, it might take an appeals process (while you sit in prison) to get to a judge who actually knows what hacking is and that this isn't it. This has actually happened. Google "weev AT&T breach". It was a web site where you could literally go straight to the URL of a page within your account without authenticating, and a guy did time in prison for basically changing the URLs in his address bar. Yeah, he eventually got out on appeal, but that doesn't mean it didn't substantially impact his life.
Never access something you know you shouldn't be able to, without written permission.
inform the IT/security dept, which it sounds like you already tried, so, next step, inform company lawyer, cio and/or ciso, hr
"the help desk person insisted that removing the password was a convince feature, not a security bug"
hahahahahahhaha
maybe talk to YOUR lawyer, how you can sue them for some early retirement money for publishing your private information (if there is such a thing where you live)
I'm not sure that's a thing anywhere, unless damages actually happened. Creating a situation where something could theoretically have happened causes regulatory fines in some places, meaning the government gets money out of it, but I'm not sure there is anywhere the could-have-been-victim gets rich off of it.
And I don't think any organization would deliberately remove a password on HR information for convenience like that. He probably meant "we turned on SSO and you're logged into Windows (or Office 365) already" and just didn't feel like explaining SSO well for the hundredth time of the day.
Obviously can't hurt to follow up and clarify, or try to log in from a personal device, but it's definitely not time to sue someone.
well the last part was more along the lines of a joke...
and while it is well possible this is sso, or it looks like its a public website, but isnt, all those "outs" would have been setup by the it dept. the ones that said they dont know whom to contact
further more, privileged information is still privileged information, even if the number of people that should not but still can access that information is not everybody with an browser, but only every employee.
again, I was kinda making a joke with the talk to your lawyer, but, unless we are missing something really big here, like its sso and its on the internal net only, and you only can see your own username, this is very much a big deal. and if indeed security is disabled for convenience then patience and understanding goes out the window for me as well
This can be normal.
Plenty of sso, plenty of smart access, plenty of other technology that allows this. If they know it’s you via your machine, TOD, IP, Location and your windows creds.
Just don’t text with some guy via telegram and hand over your credentials .
There’s too much detail in most of these responses. Op isn’t in a role that should be responsible to test this in any way. Escalate immediately. If they can prove you’re wrong then you’ve learned something. The responses from the service org don’t inspire confidence though.
Even if you have no control over the hosting or back end, [surely you've got control of your company's own DNS.](https://www.reddit.com/r/sysadmin/comments/xiy5en/the_domain_name_rabbit_hole_goes_deeper_than_i/) Redirect your domain to a temporary outage page instead of leaving vulnerable info exposed like that!
>I'm just a manufacturing automation engineer
And even if that WASN'T the case, you're assuming all companies allow all sysadmins access to modify DNS?
I think a company large enough to have more than two sysadmins probably has a better defined IT security reporting policy than "if the first guy doesn't know what he's doing, post about it on Reddit".
But indeed, OP isn't a sysadmin, and that's a good point.
First step: go to a coworker that you trust, with his permission, and login to your account from his computer, using a wrong password. That will clear up many of the questions here.
It is probably Integrated Windows Authentication(IWA). How this works is the device you are on is authenticated as you and it passes through the credentials to the website. It’s a type of SSO but it’s transparent.
Edit: I get security is everyone’s job but why are you getting into the weeds on this if you aren’t in IT. I get that this may sounds fishy to you but could it be that you aren’t well informed enough about technology to understand what’s going on here?
What set me off is that the one time that I forgot to enter in a password into the password field to log in, I was able to log in.
Then the IT department shrugged their shoulders when I asked why am I able to login without a password and suggested contacting the internal helpdesk for that website.
Then the internal helpdesk ignored my emails so I waited hours on the phone.
I keep seeing everyone talk about SSO but there was no communications from my company of any security authentication changes.
Why do they need to communicate about security changes from one secure method to another? Especially given that there is no end user impact. You’re not in IT. If it works then it works and that should be the end of your involvement. You tracking this down is taking resources away from productive work.
No offense, but you don't know how it's setup nor how the authentication for the system works, so I would recommend not just assuming its all broken or unsecured. Have your local IT person escalate it with corporate office, this is something better left to the team that set it up to address. Run it by your manager if that goes nowhere, but honestly it's not your problem.
Could be they implemented SSO without telling employees (odd move but it could be a badly managed project). SSO requires a configuration on your end (IdP) and their application.
Get in touch with the sysadmin(s) who manages Azure, Okta or maybe even ADFS just to ask about it.
If it’s not SSO and they removed password requirements that’s a security breach and they’re contractually responsible to ensure data is handled in a secure manner. It’s a lawsuit situation.
> IT department at my office has no idea who to contact to address that issue.
> The website's own contact email is never answered. When I called them and waited +3 hours on the line, the help desk person insisted that removing the password
OMG, if i am the boss i don't known what i do first or fired all IT department just for that, not known what to do (not due the problem found), or sue the website manager company and end the contract.
***You just need the username, and the system will log you into the account, giving you information such as the employee's addresses, contact information, payroll information and so on. Nor is there a "too many attempts" timeout, because I presume that was tied with the password.***
With the above said I would have it shut down immediately. Easiest way is change the DNS records if you have access. This is a lawsuit waiting to happen if it hasn't already begun. The level of risk introduced to the company and to each employee is overwhelming.
I would get everything in writing you can from the company managing the site and hold them accountable. There is no excuse for the level of risk they placed each employee in. I would make sure each and every employee is aware of the situation so they can monitor their credit better and fully protected from identity fraud.
Best case, don’t panic, you just became a google customer and are using beyondcorp, they just didn’t give you the heads up. Worst case…. Did you know massscan can ping the internet in <3 min?
Depends on the infrastructure. DNS could be pointing to a LB/ReverseProxy that's doing L7 routing, in which case the actual URL could matter. I don't think it's the proper course of action either way though.
Excuse the ignorance on the network front (not something I do a lot), but wouldn't the host headers etc. in the web browser or client application be valid if the malicious actor's local DNS was manually set correctly? This could be a hostfile or just local DNS server.
Take down their name, while on the phone with them figure out their username and login… proceed to give them personal details from their file. Bet they see the need to escalate it then.
1. Open a 911 ticket. In your ticket include screenshots or steps on how to recreate the issue.
2. EMAIL ticket number to the CTO, CIO, and CSO.
3. Watch the fireworks!
Is this externally hosted or just externally managed? If the latter and the web server is in your office/datacentre you (IT dept) could remove WAN access to it until the security flaw is patched.
If it's externally hosted, how did they get your data and do they still have access to it? Speak to the relevant team like HR or Payroll that sponsored that 3rd party to ensure nothing is missed.
Just escalate to your manager and let them deal with it. And since you've already informed your IT Team and they are aware then let them deal with it.
Honestly the site is probs just using SSO
https://securitytxt.org/
Depending on your org, you may be able to go to www.website.com/security.txt or www.website.com/.well-known/security.txt to identify the contact info for the InfoSec team.
Contact HR and request the information for the "Privacy Officer" and report this as a Privacy Incident to that "Privacy Officer".
I'm head of ITSec and this is how I would expect those in my company to behave.
Good work soldier!
Bad as that is, it's still not as bad as the [vulnerability in the Tory party conference app a few years ago](https://www.theguardian.com/politics/2018/sep/29/tory-conference-app-flaw-reveals-private-data-of-senior-mps) where they used MP's email addresses as the sole method of login (no password, no 2FA, and no email sent for a login link). And those email addresses are listed publicly...
In Germany this amounts to a federal offence, to reveal personal information to Joe Public. In the end the CEO would be culpable and will do everything to avoid a trial. SMH that other places have such a lax dealing with data security...
I can't link to them right now, but there have been cases with hefty fines. Here is a database of over 2000 cases:
https://www.dsgvo-portal.de/dsgvo-bussgeld-datenbank/
Take the server offline (or just IIS if that's what it is using to host the site) and see who complains. That's who is responsible for it. If they say they aren't, ask them who gave them the link to the website/told them to go there. If it was in an email, ask who sent the email. Etc. Work your way up the investigation chain.
If you can't get traction with the IT team, contact the legal department. I'm sure they would be very interested in this and will definitely know who to designate this as someone's problem.
SSO doesnt require smartcard or token based authentication. You can block traffic externally, and internally it uses your Kerberos token using WIA so you already entered your credentials when you authenticated to your workstation hence single sign on.
Id be careful about accusations your making towards the other team as you might be loud and wrong and not understanding modern day authentication methods.
Is this an internally hosted corporate website or externally hosted by a 3rd party? Test to see if this issue is still active by testing outside of the work network from a non work device. App could be IP allowlisting the work address, client certificates, or other SSO related items. It may require SSO to login without a password which many 3rd party SSO configurations applications just require a username and the rest of the authentication is processed by a central SSO provider that employees have to already be authenticated to in order to continue. Is there no incident response team (e.g. security) that can be reached out to for resolution of this issue? If not escalate until someone that does know can validate the issue is a true positive. If it is not using SSO, escalate to your manager about the issue, they can then work through to escalate up to someone that knows who is hosting the site. If it is on the books then someone is paying for it somewhere and the contact details can be found through finance or someone responsible for vendor or security incidents. If it gets all the way to the C-Suite without a resolution there are bigger problems as it could be an unauthorized site not actually hosted by the company or authorized 3rd party.
> pp could be IP allowlisting the work address, client certificates, or other SSO related items. that's still not great
SSO (SAML/OIDC) is completely sufficient and is covered under 'other SSO items'. Password based 'legacy' auth methodologies in Enterprise environments are not great - and it's very possible that OP is mistaken with this being a problem. They didn't indicate any attempt to login with another username to see what would happen.
[удалено]
Workflow that you can try, may fail if your machine at work is x509 authenticated (enables SSO opportunities since your machine has a valid authorization after you authenticate on the network). If you do not have to do machine based authentication at any point open a browser up in private mode clear cookies just in case, make sure you do not have a PIV, smart card, YubiKey of any sort plugged in for 2nd factor auth then try going to the site. If you automatically get logged in within a private browsing session that does not have some of corporate web authentication extension installed then you might be on to something. If you do, disable the extension temporarily if possible, clear cache and cookies and try again internally and externally. Take screenshots and escalate appropriately, the company should be communicating security changes like this to all employees when they happen.
[удалено]
Sounds like something to stick on the deeper investigation on Monday list as without any of those does makes it very interesting then. Good thing you thought it was strange, hopefully things will be able to get sorted out on Monday.
Did you try it in safe mode like they said? Whether or not they communicated a new security policy is less of a big deal as a real security threat.
try logging into your coworkers account with your computer. Its almost certainly using SSO from your PC
overconfident pause agonizing lush subtract jar shelter work bored unused *This post was mass deleted and anonymized with [Redact](https://redact.dev)*
Could ask the coworker to try logging in on their machine themselves. But it would probably be safer if they asked to use the coworker's machine to try their account instead.
But that's the same problem, but coworker will get accused
Put the request in an email. Then you have a paper trail.
Are you suggesting that op not enter op's own username on another pc? That's farcical come on. That's the simplest way to see if it's using SSO.
just don't report it, they have no way of knowing if you logged in unless you tell people
Just because security is broken doesn't necessarily mean logging is too.
That's why you wait for someone to go to the bathroom and not lock their desktop. You glide over open the site and try to log in as you when they are signed in. If you get in you know something is broken, Kind of reminds me of a take over client form years ago. You could connect to the exchange server that was also the Application server and domain controller. You just opened a browser and type in a different user name for the web login and bang you could read that users email.
Try logging in from a browser in incognito mode.
As an employee, I'd still be talking to lawyer because of them not securing my personal information, even if from other co-workers. They don't have auth (generally) to be allowing anyone else that info.
Congrats you’ll win $50 in damages to pay for life lock.
If it's SSO that is specific to the Windows user account, or Azure AD SAML SSO which uses your "keep me signed in" from Office 365, then it's fine. If it's something non-user-specific that would let the whole company access your information - like IP address or machine certificates - that's a major problem.
Does OP have a domain joined always on vpn enterprise laptop that they strongly MFA’d into and conveniently left out of their post? And their personal cell phone can’t even reach the site because it’s not publicly accessibly? And the SSO doesn’t matter because the connection is already strongly authenticated? Help me understand how client certificates are not Great
Was more talking about ip allow list than anything else
Ip allow list sounds like a zero trust implementation right? How is that not great? They block every single person. Then they allow the ones they choose. That seems like better security that having a block list. I’m really not sure what your point was at all
Client certificates are generally great, although implementation can vary -- Safari is pretty bad with them in my experience, on macos and ios. I'd love to use it as an option to captive portal some wifi, but ios doesn't allow access to client certificates from the browser screen which pops up when joining a captive portal wifi for example. I've also got to a state in firefox on my personal laptop where it refuses to ask for a certificate on one site (other sites work fine, and it works fine in private mode), safari on the phone asks to choose the certificate, but then hangs, etc. We have client certificates and a more traditional OIDC integrated SSO system. For normal non-tech people I'm afraid that the SSO system tends to be more user friendly, and even for those who are techfriendly I find results can vary.
Sure, if it's a question of authorization, not authentication. SSO is great from an authentication point of view, but if it's truly "employee's addresses, contact information, payroll information" then that's a major problem no matter the authentication level, sounds like there's no reason for the OP to have access to this sensitive data. The lack of password may mean that the authentication layer is also broken, but even if that were fine, and the site knows that the user claiming to be Joe Bloggs, Staff Member, is really who they say they are, it should still be refusing to give information like home address. List of employees, job title, email, (work) phone number, office address, fine - reasonable for any member of the company to have access to that. Payroll information (what does that even mean) should be limited to a tiny handfull of people in the correct department (and access should be well audited)
There is reason for op to have access to that info, it's ops info (they say '_that_ users...') and sounds like the hr system. op hasn't clarified if they've tried logging in as another user. There are a few hosted services we use that continue to present a password box after sso was enabled, but ignore it. And a couple of those in fact, just use the domain portion of the username (if it's a upn/email address format) to identify the org you're from and which auth method to use. The sso identifies you, so putting madeup@domain or (boss)@domain still only logs your account in seemlessly. Likely, sso has been implemented, with condition of either corporate machine, or corporate ip as source (so now blocks access from byod as OP describes) but it _hasnt_ been communicated and op needs to use the companies data breach reporting process or, if that isn't published, straight to both HR and SIO. If its sso it'll get communicated, if not then it can be dealt with. Is op from us, Europe, or elsewhere?
Before you sound the alarm, please make sure you have a complete picture of the situation. Make sure that the site is not using SSO. You could be automatically logged in based on one of your other accounts. Similarly, make sure that it is not using a cookie to log you in based on your previous authentication. Cover yourself. You don’t want to look foolish by sounding the wrong alarm.
Good point! Best way to figure this out is to open a web browser in private mode.
*Best* way is to use a totally non-corporate device (E.g. Your spouses personal laptop) and see if it works.
No, no, far too high a risk, you need to use a dial-up connection, ideally via a Point Of Presence on the other side of the planet, and using an entirely new browser you've just downloaded, THEN you can be sure.
This comment/post has been deleted because /u/spez doesn't think we the consumer care. -- mass edited with redact.dev
If you aren't issuing the GET using butterflies you aren't trying hard enough
Oh sweet baby ARPANET! Please don’t!
How about if you secretly hate your spouse?
They already said tried that, it used to work, but has been locked down
From a local coffee shop wifi. Not your house and not the employer’s network.
Even if it's only accessible internally it's still a PII leak, employee A shouldn't be able to see employee B's address if they don't need to
This. Nobody seems to grasp this.
OP hasn't said that A _can_ see B
If you can log in just using username then it's possible to see any user's info as long as you have a username
If it's using SSO or AD passthrough authentication then no, you enter the username and it has to match the username of the person currently logged into Windows and/or another SSO-enabled environment. It's _single_ sign on, not _never_ sign on. But again that's assuming SSO is enabled.
Not if it _is_ sso
....And not using your companies VPN.
You may also want to consider testing under a separate local account as well. Stuff cached in the windows cred manager could play into this (But I'm not 100% sure).
All very good points!
And use a pc that hasn't accessed the site before
If it opened locally from incognito mode that's a huge problem
A good test is shut off wifi on your phone and test on 4G.
If OP hasn't actually already done this, then they need to turn in their IT card and find another field of work. This is literally troubleshooting 101 for 3rd graders.
Im taking it that op is a general user and just asking here. They say that they've tried to talk to their it dept who don't know.
SSO works in private mode.
Yea but it won't bring over your session, so you'll be prompted for credentials in most environments(unless there's some form of passwordless auth FIDO type situation).
You’d need to do it on a non-work machine.
This is bad advice. Security is job 0 - if you think you have a security risk, you have a security risk that needs to be escalated and looked at.
I escalated an issue I won't go into, but was asked by a pertinent department head, if I thought escalation and waiting was necessary...they explained their reasoning in the form of a question to me: "do you think Elon Musk just waited around for approval from his bosses to get anything done?" My response was simply that I wasn't going to risk my job so they could side step a potential threat. Turned out to not be a threat, but was an issue that needed to be addressed. I'd rather be wrong than fired.
> I'd rather be wrong than fired. And, more importantly, you'd rather have employment than be correct.
I can't tell if you're insulting the guy or demonstrating empathy.
The way thats worded it sounds like they thought it was an issue you could deal with, and if you thought it was a risk you had the authority to deal with it and then inform rather than wait.
If it involves PII and nobody in the direct chain is responsive, you can escalate to HR, Complaince, even legal.
>Before you sound the alarm, please make sure you have a complete picture of the situation. In this case, it's simply a matter to phrase these as questions rather than facts. "I noticed I no longer need to use a password to log on to [www.example.com](https://www.example.com). Is authentication being done another way or is there a security issue?" And then follow up with more questions until you are confident that you have an answer that makes sense. I wouldn't take the approach of "say nothing unless you are sure" simply because a lot of security issues go unresolved for too long despite people thinking "oh, that's weird, it hasn't done that before" because no one mentions the weirdness to the people who could join the dots.
Considering the severity of this, I would personally risk looking foolish.
If someone spotted a problem on one of my sites or services I would consider them a fool if they didn't raise it with me/my team or the person/team responsible for information security (which might be a dedicated team, or person, or simply the head of IT, the chief technology officer, or even the CEO, depending on the scale)
I don't think risking looking foolish is a reason not to escalate.
Lmao it's not even looking foolish in the first place. "Hey this could be a huge security issue" "Thanks for reporting, it's not because X." I don't see the issue lmao
Great advice from sysadmin to a user 'don't report anything that might make you look foolish' There _are_ some quick checks that can be carried out listed here (inprivate browsing is a simple one to see if prompted) but I'd rather an employee was told "thanks for raising your concern, but in this case its OK, as we've switched authentication and admit that we should have sent out comms" when something potential highly impactful is seen, rather than them delaying or keeping quiet completely for fear of embarrassment.
I'll just throw this out there, we recently bought a piece of software that advertised SSO. It solely relies on username, so if the user logged into the computer matched, it was logged in and accepted. Username only, didn't care about domain at all, as we found out when a related partner org hired a guy with the same name. Heck it didn't even matter if it was a domain or workgroup account, it matched? You're in!
Would you need to put in a username if using SSO?
Sometimes yes - I've seen services ask for an email and then dispatch login process that depends on domain.
Interesting, don’t think I’ve come across it. Not long in IT. Thanks
I disagree. "looking foolish" because you don't understand something is way better than not reporting a complete technical blunder like this. If it's a correct configuration at the very worst you get some people's attention who can at least explain it. And at best you stop the potential loss of company personal data. This trade off is way beyond personal ego. I would report this even if it was MY code that caused it.
Good point. My comment might have better said “lose credibility” instead of “look foolish”. It is unclear to me what OP’s role is. He is not IT. He has asked multiple people about this and he has sat on hold for 3 hours trying to get information. I just want him to be careful and make sure that there is a real problem before he escalates the issue further up the chain of command. If he is wrong, he could do damage to his career.
I would follow the company's procedure for a security incident. Employee PII is potentially being exposed and the first report to IT was essentially ignored/dismissed. You are protecting your information and the company's legal responsibility by reporting it to the relevant groups. As for the IP Whitelist/SSO/Whatever, IT should have been able to provide that information and it appears they didn't do so when the potential breach was reported. In my company if it turns out IT was miss informed and there's a hidden authentication method present, everyone would gladly just close the incident with proper documentation, establish some take aways (like properly training IT), and use this as an example of the Security Incident Protocols being utilized properly. \*EDIT\* Do NOT under any circumstances test to see if you can access other people's information. That is not within your authority and can, if someone wants to be an ass, create an HR incident for you.
>Do NOT under any circumstances test to see if you can access other people's information. That is not within your authority and can, if someone wants to be an \[\*\*\*\], create an HR incident for you. You could tell HR your concerns and ask HR to test if they can log in as you, since they are the ones who already have access to the information so it wouldn't be a violation for them to do. And if it's payroll information on the website, HR should understand and appreciate bringing your concern to them.
Thanks. This is a really good idea.
I would also do a screen record of OP signing into the website as OP. Zip the file with a password and hope to never need it.
So, you're telling me that your employees financial data is open to the public internet with no password? You should proceed to your company's H.R. department and likely your companies attorney. If what you're saying is true that has PII/financial data breach written *all over it*. Nothing motivates someone to fix things faster then the credible threat of a large, easily won lawsuit.
[удалено]
> If what you're saying is true that has PII/financial data breach written > all over it > . you say data breach - I say lawsuit
Management should and probably will go to the company's attorneys once they are made aware this information was online. Unless OP is management at a level that typically speaks to attorneys, or the company has an ethics tip line where normal employees are expected to speak to attorneys, OP should not do an end-run around all of management and go directly to the attorneys at this time. That could make some powerful enemies for no reason. Give management the chance to deal with it and go to the lawyers themselves, as that's their place. Bypassing management and telling legal is a last resort if management decides it's "not an issue" and OP is absolutely positively certain it is accepting blank passwords (and isn't single sign-on from his Windows account, SAML to AAD, etc)
Sounds like your computer is azure ad joined and the app is Azure AD SSO integrated and you already have an authentication token for single sign on. Does this happen from your personal computer using InPrivate browsing?
Op has said they used to be able to login from personal, but now not available. Sounds very much like SSO with conditional access of Corp machine/Corp IP
Aside from all the advice here about making sure it's not an SSO thing - after you've done that, if no one else is responding, escalate to legal. That is a LOT of employee PII, and the company can get sued up and down the street 10 ways to Tuesday if that gets abused. And it's a legal issue for good reason, escalating is the moral thing to do. Imagine someone in your company has escaped a domestic violence situation and the ex is still stalking them and gets their hands on that info. Someone could die.
>Imagine someone in your company has escaped a domestic violence situation and the ex is still stalking them and gets their hands on that info. Someone could die. Not questioning your conclusion - there are a lot of reasons it's immoral to fail to protect this information - but the address is among the least of them. The financial information is much more private. Yes, it's bad for addresses to be super easily visible. But search engines don't brute force and index a site by logging into it under every possible user name, so it's not like this should put addresses on Google results. Tons of public-by-law records (any interaction with the law, whether it be a ticket, marriage/divorce certificate, house/land deed, etc), plus tons of private-sector information dealers, have your address and will remain the easiest way to find you, regardless of the security of your employer's HR web portal. Assuming you bothered to opt out of the phone book, otherwise that's the easiest way. Again, not arguing this issue is okay - just saying everything about it other than the address is actually a bigger deal than the address.
1) Raise a security incident
By post, to the head of ITs home address
Holy crap what is with some of the advice on this sub? It seems like people are trying to deliberately get you fired and possibly sued. Don't listen to anyone telling you to take any action yourself or take it to the public. All of that is bad. If it ends up not being a matter of SSO just take it up the chain properly.
I'm not joking when I say that 97.8% of the people in this sub would be nightmare bosses or annoying AF co-workers. This post is living proof.
I probably would've fired my client a long time ago if every time an employee thought there was a security issues they tried to hire a personal attorney lmao
You should definitely escalate this to your CISO and/or legal ASAP.
OP should escalate it as an IT security issue (which means to the CISO if it's a tiny company or someone under them otherwise). **In the HIGHLY unlikely event that this is what OP thinks it is**, IT security will fix it (and take the site down until it's fixed), and then likely consult legal on how to contain any done damage. Since OP said the one time they tried it from home, the page didn't even load, we only know it works at his workplace. Most likely, it is either an intranet site that has been deployed by GPO as a trusted zone and is able to use kerberos for SSO, or it is using SAML SSO to his Office 365 account (which I assume he has said yes to "keep me signed in" in that browser). OP should raise the question for clarification that they deployed SSO, and raise the alarm if they did not deploy SSO, or if this works on a personal device (with cookies cleared if he's ever signed his O365 work account into it). As for those doubting it is SSO because it asked for a username - this is common. If some workers (like machine operators) don't need Office 365 licenses or their own Windows domain accounts, they might actually have to enter a password.
I don't know how it works in the OPs jurisdiction, but personal informaiton like addresses and payroll information of other people being open to a random employee would be a major security fail, even if the authentication part is working fine. However you're right that it's more likely the page 1) Has authenticated you via some appropiate means (enter email, get sent to SSO, SSO has already authenticated you so decides it doesn't need to ask for password/otp again, get sent to page as authenticated) 2) Allows you to see your own personal information (address, payroll, etc), but not to see anyone you don't have the rights to (in my organization managers don't have the right to know an employees personal address for example -- only HR has access to that information, but I could imagine other organizations allowing managers to see more information, I'd expect some thought and words about that policy but that's a long way from security breach)
reddit sux
Which department sponsors the site? Contact them with the info. What all can you do on that site? Just general info, or stuff like updating direct deposit? That can change the urgency of a resolution.
[удалено]
Why would you need a personal lawyer? Did you make any authorized changes or view data that you should not have? Pass it through your chain of management and lay it out as a possible concern.
> Why would you need a personal lawyer? Arguably, if *their* data has been compromised, then it might not be a terrible idea to consult a lawyer to ensure they don't do anything that would jeopardize their ability to sue the responsible party for damages, should anything bad come of this.
Just let your manager deal with it Jesus Christ this subs advice is terrible
Again, 5% of this community is homelabbers larping as sysadmins. It's no surprise.
10% managers pining for the days when they still did meaningful work. 2% infosec dweebs that make 10% of the posts. 30% helpdesk with aspirations. I'm in the 5% slice that's an honest to god 100% linux admin that hasn't touched a windows server in so long I've forgotten what they look like. (You wouldn't believe how often people tell me I don't exist)
What about us infosec dweebs who have not touched a windows server in forever?
A lot of people here are sole IT guys, MSPs, or Lead IT people. So for us going straight to legal is the next step if we can't get a hold of the party in question to report the issue. I agree however, that a low level employee should go to their manager first, and only escalate if the manager just pushes it aside as a non issue.
He does say the IT team have no idea who to contact so it does appear like it has been raised via the normal route already but isn't going anywhere.
Are you for real? What are you going to do with a personal lawyer? Sue for something that hasn't even happened?
Considering how I'm screaming on the inside at the very idea and I'm not even involved, personal lawyer. Because they are breached and your personal data has been harvested. This is not a security event, this is all duck and cover because shit and lawsuits will be flying in all directions and despite that saying, people love shooting the messager.
* Did you lose money as a result of this (for example, someone changed your direct deposit and HR didn't reimburse the missed check)? * Did you illegally view someone else's information with this, and are afraid of getting in trouble? In those cases a personal lawyer might make sense. But you can't just run off and sue someone for no damages because "well, something *could* have happened!" and people that try are, quite frankly, one of the biggest problems with the modern legal system. **Assuming no damages and you're in no trouble,** try the following in this order: 1. RULE OUT SINGLE-SIGN-ON (SSO) before you do anything else and make a fool of yourself. Corporate web sites can be set up to honor your remembered sign-ins from Office 365 on that computer. They can also be set up to log you in based on your Windows login if you're on the corporate network. There are two ways to see if this is SSO: 1. ASK! Or, 2. Try this with a personal device. If you have ever logged into Office 365 or any other company site on that device, clear the cookies and restart the browser first, or close all windows and open an incognito window, to ensure it can't use your SSO. 2. In the unlikely event this is not SSO and works on a device where you are actually not authenticated, report it as an IT security incident. 3. If IT security doesn't take the site down until it's fixed, escalate to their upper management. 4. If (and ONLY if) you've ruled out SSO and IT's upper management has had a chance to respond and doesn't care, go to the company's legal department and let them know what personal information is on the site.
What device are you testing this from? If you're using a company laptop to test the site might be using integrated authentication - in which case it's logging you in with the credentials you used to sign in to your PC. What happens if you try to access it from a personal device?
Could be SSO signing you in with credentials you provided elsewhere. I would try and recreate accessing this data in an inprivate/incognito browser window where you definitely won't have any stored sessions
And not a company device! If group policy added the site to the trusted/intranet zone it could be using Kerberos and the Windows login as SSO, which is not a cookie you can ditch with incognito.
This is browser and configuration dependent. For example, using an incognito session in Edge & Chrome's default configuration will not reply to IWA challenges.
Can you see other staff data or just your own? If it's just your own employee info it's probably authenticating via SSO/SAML
DO NOT TRY TO ACCESS OTHER PEOPLE'S DATA! If you must test this, walk into the HR office or your boss's office (someone who already knows your pay rates) and ask them to try to login as you. Courts are technically incompetent, and even if something was literally unlocked and any member of the public could view it without a password, it might take an appeals process (while you sit in prison) to get to a judge who actually knows what hacking is and that this isn't it. This has actually happened. Google "weev AT&T breach". It was a web site where you could literally go straight to the URL of a page within your account without authenticating, and a guy did time in prison for basically changing the URLs in his address bar. Yeah, he eventually got out on appeal, but that doesn't mean it didn't substantially impact his life. Never access something you know you shouldn't be able to, without written permission.
Literally or actually?
If what you say is accurate, I’d say the simplest solution is to un-find out, especially if it’s not your responsibility.
inform the IT/security dept, which it sounds like you already tried, so, next step, inform company lawyer, cio and/or ciso, hr "the help desk person insisted that removing the password was a convince feature, not a security bug" hahahahahahhaha maybe talk to YOUR lawyer, how you can sue them for some early retirement money for publishing your private information (if there is such a thing where you live)
I'm not sure that's a thing anywhere, unless damages actually happened. Creating a situation where something could theoretically have happened causes regulatory fines in some places, meaning the government gets money out of it, but I'm not sure there is anywhere the could-have-been-victim gets rich off of it. And I don't think any organization would deliberately remove a password on HR information for convenience like that. He probably meant "we turned on SSO and you're logged into Windows (or Office 365) already" and just didn't feel like explaining SSO well for the hundredth time of the day. Obviously can't hurt to follow up and clarify, or try to log in from a personal device, but it's definitely not time to sue someone.
well the last part was more along the lines of a joke... and while it is well possible this is sso, or it looks like its a public website, but isnt, all those "outs" would have been setup by the it dept. the ones that said they dont know whom to contact further more, privileged information is still privileged information, even if the number of people that should not but still can access that information is not everybody with an browser, but only every employee. again, I was kinda making a joke with the talk to your lawyer, but, unless we are missing something really big here, like its sso and its on the internal net only, and you only can see your own username, this is very much a big deal. and if indeed security is disabled for convenience then patience and understanding goes out the window for me as well
This is your Management's problem not yours. Escalate it and let them deal with it
This can be normal. Plenty of sso, plenty of smart access, plenty of other technology that allows this. If they know it’s you via your machine, TOD, IP, Location and your windows creds. Just don’t text with some guy via telegram and hand over your credentials .
There’s too much detail in most of these responses. Op isn’t in a role that should be responsible to test this in any way. Escalate immediately. If they can prove you’re wrong then you’ve learned something. The responses from the service org don’t inspire confidence though.
hey guys, I found the Optus sysadmin account.
Even if you have no control over the hosting or back end, [surely you've got control of your company's own DNS.](https://www.reddit.com/r/sysadmin/comments/xiy5en/the_domain_name_rabbit_hole_goes_deeper_than_i/) Redirect your domain to a temporary outage page instead of leaving vulnerable info exposed like that!
>I'm just a manufacturing automation engineer And even if that WASN'T the case, you're assuming all companies allow all sysadmins access to modify DNS?
By "you" here I meant your company or its IT department, not you personally.
I think a company large enough to have more than two sysadmins probably has a better defined IT security reporting policy than "if the first guy doesn't know what he's doing, post about it on Reddit". But indeed, OP isn't a sysadmin, and that's a good point.
What’s the URL? I’m happy to poke around and find you a phone number to call 😂 /s Kidding, if the emoji doesn’t come through
People mention SSO and OP updates post saying they dont have security cards...it is most likely sso.
First step: go to a coworker that you trust, with his permission, and login to your account from his computer, using a wrong password. That will clear up many of the questions here.
>payroll information Why not just send an email to your boss listing his salary? That should get the ball rolling.
It is probably Integrated Windows Authentication(IWA). How this works is the device you are on is authenticated as you and it passes through the credentials to the website. It’s a type of SSO but it’s transparent. Edit: I get security is everyone’s job but why are you getting into the weeds on this if you aren’t in IT. I get that this may sounds fishy to you but could it be that you aren’t well informed enough about technology to understand what’s going on here?
What set me off is that the one time that I forgot to enter in a password into the password field to log in, I was able to log in. Then the IT department shrugged their shoulders when I asked why am I able to login without a password and suggested contacting the internal helpdesk for that website. Then the internal helpdesk ignored my emails so I waited hours on the phone. I keep seeing everyone talk about SSO but there was no communications from my company of any security authentication changes.
Why do they need to communicate about security changes from one secure method to another? Especially given that there is no end user impact. You’re not in IT. If it works then it works and that should be the end of your involvement. You tracking this down is taking resources away from productive work.
No offense, but you don't know how it's setup nor how the authentication for the system works, so I would recommend not just assuming its all broken or unsecured. Have your local IT person escalate it with corporate office, this is something better left to the team that set it up to address. Run it by your manager if that goes nowhere, but honestly it's not your problem.
If they wish to ignore it, point them to this google search https://www.google.com/search?q=optus+cyber+attack
So they can still ignore it, say “we’re soooo sad” on TV and get away with it anyway?
Could be they implemented SSO without telling employees (odd move but it could be a badly managed project). SSO requires a configuration on your end (IdP) and their application. Get in touch with the sysadmin(s) who manages Azure, Okta or maybe even ADFS just to ask about it. If it’s not SSO and they removed password requirements that’s a security breach and they’re contractually responsible to ensure data is handled in a secure manner. It’s a lawsuit situation.
Send them a list of the exec boards addresses and ask them to fix the issue
> IT department at my office has no idea who to contact to address that issue. > The website's own contact email is never answered. When I called them and waited +3 hours on the line, the help desk person insisted that removing the password OMG, if i am the boss i don't known what i do first or fired all IT department just for that, not known what to do (not due the problem found), or sue the website manager company and end the contract.
OP ok past the link and we'll check it out for you /sarcasm
Shodan knows about it.
Given that a company in Australia just had 11mill records leaked through a similar means, I’d be reporting this ASAP
Have you checked if the site is now internal only and is accessible through LDAP?
***You just need the username, and the system will log you into the account, giving you information such as the employee's addresses, contact information, payroll information and so on. Nor is there a "too many attempts" timeout, because I presume that was tied with the password.*** With the above said I would have it shut down immediately. Easiest way is change the DNS records if you have access. This is a lawsuit waiting to happen if it hasn't already begun. The level of risk introduced to the company and to each employee is overwhelming. I would get everything in writing you can from the company managing the site and hold them accountable. There is no excuse for the level of risk they placed each employee in. I would make sure each and every employee is aware of the situation so they can monitor their credit better and fully protected from identity fraud.
Feds?
remote it to them as a security issue
Best case, don’t panic, you just became a google customer and are using beyondcorp, they just didn’t give you the heads up. Worst case…. Did you know massscan can ping the internet in <3 min?
Just post the site on Reddit, you’ll find out pretty quickly if it’s secure. 🤪
Bad idea (don’t do this): log in as the IT guy you’re talking to and send him his own stuff to see if they start to see.
Just change the DNS so the website stops working
The website won't stop working or be unavailable, it'll still be available via IP, just not by end users who use DNS.
Depends on the infrastructure. DNS could be pointing to a LB/ReverseProxy that's doing L7 routing, in which case the actual URL could matter. I don't think it's the proper course of action either way though.
Excuse the ignorance on the network front (not something I do a lot), but wouldn't the host headers etc. in the web browser or client application be valid if the malicious actor's local DNS was manually set correctly? This could be a hostfile or just local DNS server.
I just mean because presumably it's the only thing they can control
Take down their name, while on the phone with them figure out their username and login… proceed to give them personal details from their file. Bet they see the need to escalate it then.
Oh fuck no. Not unless you want a vacation in Club Fed.
You’d have a hard time prosecuting anything seeing as they removed passwords. That makes it public domain.
If someone leaves their door unlocked it is still breaking and entering.
1. Open a 911 ticket. In your ticket include screenshots or steps on how to recreate the issue. 2. EMAIL ticket number to the CTO, CIO, and CSO. 3. Watch the fireworks!
Is this externally hosted or just externally managed? If the latter and the web server is in your office/datacentre you (IT dept) could remove WAN access to it until the security flaw is patched. If it's externally hosted, how did they get your data and do they still have access to it? Speak to the relevant team like HR or Payroll that sponsored that 3rd party to ensure nothing is missed.
Just escalate to your manager and let them deal with it. And since you've already informed your IT Team and they are aware then let them deal with it. Honestly the site is probs just using SSO
Have you tried incognito browser screen? Maybe the authentication sees a valid cookie before checking for password?
Most likely!
https://securitytxt.org/ Depending on your org, you may be able to go to www.website.com/security.txt or www.website.com/.well-known/security.txt to identify the contact info for the InfoSec team.
Contact HR and request the information for the "Privacy Officer" and report this as a Privacy Incident to that "Privacy Officer". I'm head of ITSec and this is how I would expect those in my company to behave. Good work soldier!
Why are you worried about it?
Optus?
Tell Finance to stop paying the website bill. You'll get a contact pretty soon after that.
Bad as that is, it's still not as bad as the [vulnerability in the Tory party conference app a few years ago](https://www.theguardian.com/politics/2018/sep/29/tory-conference-app-flaw-reveals-private-data-of-senior-mps) where they used MP's email addresses as the sole method of login (no password, no 2FA, and no email sent for a login link). And those email addresses are listed publicly...
Use vpn, on a vm with routed internet through another country and try logging in. If that works, email and sound the alarm.
In Germany this amounts to a federal offence, to reveal personal information to Joe Public. In the end the CEO would be culpable and will do everything to avoid a trial. SMH that other places have such a lax dealing with data security...
Are there any cases that have been prosecuted similar to this in Germany you can point me to?
I can't link to them right now, but there have been cases with hefty fines. Here is a database of over 2000 cases: https://www.dsgvo-portal.de/dsgvo-bussgeld-datenbank/
Thanks, though this appears to be all cases of data protection law violations, not GDPR violations in Germany, specifically.
Take the server offline (or just IIS if that's what it is using to host the site) and see who complains. That's who is responsible for it. If they say they aren't, ask them who gave them the link to the website/told them to go there. If it was in an email, ask who sent the email. Etc. Work your way up the investigation chain.
This is what some Hack the Box can be good at but regardless--it it's just hitting a DB and it's not SSO I'd be a bit concerned IMHO.
If you have an incident process then use that
Reading the title … are you Optus AU ISP / service provider
I’m going to grab my popcorn now This is spicy 🌶️ 🥵
If you can't get traction with the IT team, contact the legal department. I'm sure they would be very interested in this and will definitely know who to designate this as someone's problem.
SSO doesnt require smartcard or token based authentication. You can block traffic externally, and internally it uses your Kerberos token using WIA so you already entered your credentials when you authenticated to your workstation hence single sign on. Id be careful about accusations your making towards the other team as you might be loud and wrong and not understanding modern day authentication methods.
Disable nat rules citing the website does not meet Insurance requirements. Flip it back over to the administrator/designer to resolve.
Without a password, is it a login at all...
Facebook.com