Official Publication: ENTRYRISE S.R.L
Scope: Public notification on data breach and incorrect handling of breach
Date of the breach: February 28, 2023
BREACH Details:
- 37,483 lawyer personal identification numbers (CNPs), and work email addresses, full names, bars associated to.
- Risk of account theft on IFEP
- Risk of deanonymizing votes for Bar Association votes.
RISKS:
- Account theft (IFEP)
- Risk for deanonymization of Bar Association Dean votes through IFEP platform.
On February 28, 2023, IFEP, a platform built in collaboration between Intra Connect SRL and UNBR (The national bar association)
With the following information made public:
Full Name: Identifying all lawyers registered with a bar association in Romania.
Personal Numeric Code (CNP): A unique identifier containing sensitive data like birth date, gender, county of birth, etc.
Work Email: Emails submitted by the bar association to lawyers.
Legitimation Number: Serial number for legitimation, which could've been directly inferred via a tool on the IFEP site.
Vulnerability Difficulty - Low
The vulnerability affected a publicly accessible endpoint that was indexed by Google, allowing attackers to download a list of all lawyers, their respective bars, work addresses, and associated PINs (CNPs).
The endpoint:
Lacked any authentication or authorization measures
Shouldn't have been publically accessible, as it's not used on the IFEP application.
Was publically visible and indexed by Google Search.
Steps Taken
We immediately reported the fact that a private endpoint was indexed by google, as well as the fact that it allowed unauthorized access to private information, to the helpdesk email associated to IFEP.
We verified a fix has been implemented in a day since the notification of the vulnerability.
We have not received any notification from UNBR, IntraConnect S.R.L., or any other responsible entity outlining the steps that have been taken.
We have not noticed any official disclosure from UNBR on the extent of the data loss.
The date of the vulnerability being found coincides (but is unrelated) to the date of the proposal of building a UNBR cloud for lawyers, and it is possible that the vulnerability was not disclosed to prevent escalating an already tense discussion topic inside the profession.
β
DISCLOSURE:
We found the vulnerability when researching the data processor as well as the manager and owner of the IFEP site, in the context of the lack of transparency being discussed in regard to the legislative proposal mentioned above.
Unlike the CECCAR Breach, this one is more limited regarding identity theft, due to the reduced scope of affected information.
In addition, due to the nature of legal professions, we believe data such as personal identification numbers (CNPs) would already be available to customers. However, consensually, so we believe the risks are slightly lower.
While this vulnerability is also low effort since it involves accessing a publically indexed, and previously openly available, unauthenticated endpoint, it requires manual interaction by an attacker to exploit this vulnerability.
The CECCAR vulnerability previously reported led to unauthorized data disclosure of almost all data present on a personal identification document, with data sent to both normal and malicious users of the application.
Unlike the CECCAR breach, we believe this one is significantly less likely to have been abused in the wild.
Breach Period
While we were unable to validate the extent of the vulnerability, we believe the breach existed since the initial IFEP development, which we traced to at least April 2021.
We estimate the vulnerability was not found, abused in the wild, nor disclosed for at least 2 years.
Risk assessment and CVSS details - 5.5/10
The vulnerability was assessed based on criticality, impact, and exploitability using the CVSS scoring metric, with anestimated CVSS Scoreof:
CVSS Base Score:7.5/10
Impact Subscore:3.6/1o
Exploitability Subscore: 3.9/10
CVSS Temporal Score:7.2/10
CVSS Environmental Score: 5.5/10
Modified Impact Subscore: 1.8/10
Overall CVSS Score: 5.5/10
GDPR Report
We haven't been able to find any open report or disclosure to comply with GDPR requirements of disclosure.
While the GDPR Regulation provides an exemption from mandatory disclosure in cases of low risk of infringement of personal rights, we believe it is transparent to notify the parties involved of both the risks and the steps taken, especially in an industry where individuals prioritize the privacy of their data.
INCORPO.RO - OFFICIAL RELEASE
We believe that everyone should be aware the extent of the way their data is processed. While we are pro-processing, and are ourselves a platform that does use analytics to help shape our products, we believe this should be done responsibly and with proper disclosure.
With no action being taken to notify the involved parties in almost one year, and the recent disclosure of the IFEP data leak, we believe it's only reasonable to disclose to the involved parties the risks they were exposed to.
IFEP - Data Breach
Public notification on data breach and incorrect handling of breach by IFEP privately found and reported on February 28, 2023
β Stefan-Lucian Deleanu
IFEP - Data Breach
Update #1: 06.01.2024 00:48
Release Details
On February 28, 2023, IFEP, a platform built in collaboration between Intra Connect SRL and UNBR (The national bar association)
With the following information made public:
Vulnerability Difficulty - Low
The vulnerability affected a publicly accessible endpoint that was indexed by Google, allowing attackers to download a list of all lawyers, their respective bars, work addresses, and associated PINs (CNPs).
The endpoint:
Steps Taken
We immediately reported the fact that a private endpoint was indexed by google, as well as the fact that it allowed unauthorized access to private information, to the helpdesk email associated to IFEP.
We verified a fix has been implemented in a day since the notification of the vulnerability.
We have not received any notification from UNBR, IntraConnect S.R.L., or any other responsible entity outlining the steps that have been taken.
We have not noticed any official disclosure from UNBR on the extent of the data loss.
The date of the vulnerability being found coincides (but is unrelated) to the date of the proposal of building a UNBR cloud for lawyers, and it is possible that the vulnerability was not disclosed to prevent escalating an already tense discussion topic inside the profession.
We found the vulnerability when researching the data processor as well as the manager and owner of the IFEP site, in the context of the lack of transparency being discussed in regard to the legislative proposal mentioned above.
Similar to our previous release of the Identification, reporting, and non-reporting of breaches concerning the CECCAR accountants' database, today we present a similar yet more restricted case, affecting all Romanian lawyers.
Unlike the CECCAR Breach, this one is more limited regarding identity theft, due to the reduced scope of affected information.
In addition, due to the nature of legal professions, we believe data such as personal identification numbers (CNPs) would already be available to customers. However, consensually, so we believe the risks are slightly lower.
While this vulnerability is also low effort since it involves accessing a publically indexed, and previously openly available, unauthenticated endpoint, it requires manual interaction by an attacker to exploit this vulnerability.
The CECCAR vulnerability previously reported led to unauthorized data disclosure of almost all data present on a personal identification document, with data sent to both normal and malicious users of the application.
Unlike the CECCAR breach, we believe this one is significantly less likely to have been abused in the wild.
Breach Period
While we were unable to validate the extent of the vulnerability, we believe the breach existed since the initial IFEP development, which we traced to at least April 2021.
We estimate the vulnerability was not found, abused in the wild, nor disclosed for at least 2 years.
Risk assessment and CVSS details - 5.5/10
The vulnerability was assessed based on criticality, impact, and exploitability using the CVSS scoring metric, with anestimated CVSS Scoreof:
GDPR Report
We haven't been able to find any open report or disclosure to comply with GDPR requirements of disclosure.
While the GDPR Regulation provides an exemption from mandatory disclosure in cases of low risk of infringement of personal rights, we believe it is transparent to notify the parties involved of both the risks and the steps taken, especially in an industry where individuals prioritize the privacy of their data.
INCORPO.RO - OFFICIAL RELEASE
We believe that everyone should be aware the extent of the way their data is processed. While we are pro-processing, and are ourselves a platform that does use analytics to help shape our products, we believe this should be done responsibly and with proper disclosure.
With no action being taken to notify the involved parties in almost one year, and the recent disclosure of the IFEP data leak, we believe it's only reasonable to disclose to the involved parties the risks they were exposed to.
On this page