You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
HI I am new to this codebase so forgive me if this is not the place to raise this concern.
In some initial poking around I noticed that there are many (I assumed real, if they are fake then ignore this) email addresses and list-shares/email groups in this file.
Exposing emails, especially grouped together like this has been frowned upon in my past experiences and provides a better attack vector for phishing scams.
# Settings for Education Benefits report uploading
I could email a person in one of those emails and use one of the other emails from the same place/group as the spoofed/from email. This would make the phishing attempt more personalized and more likely to work. Additionally I could context clues from the same doc to craft a more relevant subject for the email to further increase credibility.
Which makes hacking in easier if I already know what accounts I need to go after to get admin access/phish for the password.
Also having them exposed here just makes them easier for web-crawlers to find and send spam too, which is especially bad if there are listserves/email groups, which there are in here.
Brought this issue up on a call with @td-usds (I think I have his git handle correct).
This should probably be taken out and read in via env variable or kept as a secret in k8s or in some way in whatever manor this is deployed.
Thanks!
The text was updated successfully, but these errors were encountered:
kylesoskin
changed the title
Settings.yml config possibly reveal personally identifying information onto the open internet
Settings.yml config possibly reveals personally identifying information onto the open internet
Feb 17, 2022
HI I am new to this codebase so forgive me if this is not the place to raise this concern.
In some initial poking around I noticed that there are many (I assumed real, if they are fake then ignore this) email addresses and list-shares/email groups in this file.
https://github.com/department-of-veterans-affairs/vets-api/blob/d3176d80e725886188fa2d9c6c79471ed5405255/config/settings.yml
Exposing emails, especially grouped together like this has been frowned upon in my past experiences and provides a better attack vector for phishing scams.
For example, looking at this section:
vets-api/config/settings.yml
Line 570 in d3176d8
I could email a person in one of those emails and use one of the other emails from the same place/group as the spoofed/from email. This would make the phishing attempt more personalized and more likely to work. Additionally I could context clues from the same doc to craft a more relevant subject for the email to further increase credibility.
IE a bad actor could do:
from(spoofed): [email protected]
to: [email protected]
subject: Urgent education benefits issue
All from info from this publicly expose file.
Additionally there is a list of users who are admin users here:
vets-api/config/settings.yml
Line 786 in d3176d8
Which makes hacking in easier if I already know what accounts I need to go after to get admin access/phish for the password.
Also having them exposed here just makes them easier for web-crawlers to find and send spam too, which is especially bad if there are listserves/email groups, which there are in here.
Brought this issue up on a call with @td-usds (I think I have his git handle correct).
This should probably be taken out and read in via env variable or kept as a secret in k8s or in some way in whatever manor this is deployed.
Thanks!
The text was updated successfully, but these errors were encountered: