IFEP - Data Breach
Public notification on data breach and incorrect handling of breach by IFEP privately found and reported on February 28, 2023
Official Publication: ENTRYRISE S.R.L
Scope: Public notification on data breach and incorrect handling of breach
Date of the breach: February 28, 2023
- 37,483 lawyer personal identification numbers (CNPs), and work email addresses, full names, bars associated to.
- Risk of account theft on IFEP
- Risk of deanonymizing votes for Bar Association votes.
- Account theft (IFEP)
- Risk for deanonymization of Bar Association Dean votes through IFEP platform.
Update #1: 06.01.2024 00:48
With the following information made public:
- Full Name: Identifying all lawyers registered at a bar in Romania.
- Personal Numeric Code (CNP): A unique identifier containing sensitive data like birth date, gender, county of birth, etc.
- Work Email: Emails submitted by the bar association to lawyers.
- Legitimation Number: Serial number for legitimation, which could've been directly inferred via a tool on the IFEP site.
Vulnerability Difficulty - Low
The vulnerability affected an openly accessible, and Google-indexed endpoint, allowing attackers to download a list of all lawyers, their corresponding bars, their work addresses and associated PIN (CNP).
- Lacked any authentication or authorization measures
- Shouldn't have been publically accessible, as it's not used on the IFEP application.
- Was publically visible and indexed by Google Search.
We immediately reported the fact that a private endpoint was indexed by google, as well as the fact that it allowed unauthorized access to private information, to the helpdesk email associated to IFEP.
We verified a fix has been implemented in a day since the notification of the vulnerability.
We have not received any notification from UNBR, IntraConnect S.R.L, or any other responsible entity to detail the taken steps.
We have not noticed any official disclosure from UNBR on the extent of the data loss.
The date of the vulnerability being found coincides (but is unrelated) to the date of the proposal of building a UNBR cloud for lawyers, and it is possible that the vulnerability was not disclosed to prevent escalating an already tense discussion topic inside the profession.
We found the vulnerability when researching the data processor as well as the manager and owner of the IFEP site, in the context of the lack of transparency being discussed in regard to the legislative proposal mentioned above.
Similar to our previous release of the identification, reporting and non-reporting of the breach regarding the CECCAR accountants database, today we present a similar yet more restricted case, affecting all Romanian lawyers.
Unlike the CECCAR Breach, this one is more limited regarding identity theft, due to the reduced scope of affected information.
In addition, due to the nature of legal professions, we believe data such as personal identification numbers (CNPs) would already be available to customers. However, consensually, so we believe the risks are slightly lower.
While this vulnerability is also low effort since it involves accessing a publically indexed, and previously openly available, unauthenticated endpoint, it requires manual interaction by an attacker to exploit this vulnerability.
The CECCAR vulnerability previously reported led to unauthorized data disclosure of almost all data present on a personal identification document, with data sent to both normal and malicious users of the application.
Unlike the CECCAR breach, we believe this one is significantly less likely to have been abused in the wild.
While we were unable to validate the extent of the vulnerability, we believe the breach existed since the initial IFEP development, which we traced to at least April 2021.
We estimate the vulnerability was not found, abused in the wild, nor disclosed for at least 2 years.
Risk assessment and CVSS details - 5.5/10
The vulnerability was assessed based on criticality, impact, and exploitability using the CVSS scoring metric, with an estimated CVSS Score of:
- CVSS Base Score: 7.5/10
- Impact Subscore: 3.6/1o
- Exploitability Subscore: 3.9/10
- CVSS Temporal Score: 7.2/10
- CVSS Environmental Score: 5.5/10
- Modified Impact Subscore: 1.8/10
- Overall CVSS Score: 5.5/10
We haven't been able to find any open report or disclosure to comply with GDPR requirements of disclosure.
While the GDPR Regulation provides an exclusion to required disclosure in cases of low risk of infringement of personal rights, we believe it's transparent to notify involved parties of the risks, and the steps taken, even more so in a domain where people care about the privacy of their data.
INCORPO.RO - OFFICIAL RELEASE
We believe that everyone should be aware the extent of the way their data is processed. While we are pro-processing, and are ourselves a platform that does use analytics to help shape our products, we believe this should be done responsibly and with proper disclosure.
With no action being taken to notify the involved parties in almost one year, and the recent disclosure of the IFEP data leak, we believe it's only reasonable to disclose to the involved parties the risks they were exposed to.