Summary by ciberpadi
Google dork leaded information confidential in PDF
Google dork leaded information confidential in PDF
Disclosed by ciberpadi- Engagement Department of Interior: Vulnerability Disclosure Program
- Disclosed date about 2 years ago
- Priority P3 Bugcrowd's VRT priority rating
- Status Informational This vulnerability is seen as an accepted business risk
Report details
-
Submitted
-
Target Location
*.doi.gov -
Target category
Web App
-
VRT
Sensitive Data Exposure > Disclosure of Secrets > For Internal Asset -
Priority
P3 -
Bug URL
https://www.doi.gov/sites/doi.gov/files/elips/documents/standardized_positon_descriptions_for_bureau_associate_chief_information_security_officers.pdf -
Description
Disclosure of Secrets
Overview of the Vulnerability
I have searched OSINT open sources and have seen that a confidential PDF document for internal personnel has been exposed where PII such as signatures, personal names, dates, confidential contract for ministry security personnel, etc. are exposed.
Business Impact
Impact against the organization by a potential attacker is direct since he could carry out targeted attacks, information theft, identity theft attacks, document forgery, among others.
Steps to Reproduce
Search for the following OSINT query: inurl:doi.gov not for distribution | confidential | "employee only" | proprietary | top secret | classified | trade secret | internal | private filetype:xls OR filetype:csv OR filetype:doc OR filetype:pdf
Analyze PDF document: https://www.doi.gov/sites/doi.gov/files/elips/documents/standardized_positon_descriptions_for_bureau_associate_chief_information_security_officers.pdf
You can see PII leaked
Proof of Concept (PoC)
The screenshots below displays the secrets disclosed: