Russian Post is teeming with vulnerabilities
Accidentally stumbled upon a post in LiveJournal, which to all appearances has been hanging without reaction for the third week already.
According to researchers of a certain organization Sokol-Security, using vulnerabilities, they managed to get to the root certificate files and its key (it is not reported whether it is password-protected or not), which are signed by certificates of all branches of the Russian Post.
The main method through which it was possible to get access is SQL injections. In the author's post there are examples of the implementation of queries, without the text of the queries, which as a result lead to data leakage. Under the threat of leakage in addition to key information, also personal data of a huge number of citizens who receive a pension in the post offices.
The only thing that separates the researchers from the possibility of communicating the details of this find to the people responsible for this, they say, is the stubbornness of the secretariat, which cuts off all contact attempts.
')
I know that on the Post of the Russian Federation there are technically competent people in the field of IT who, for certain, read Habr. Maybe there will see this post?
According to researchers of a certain organization Sokol-Security, using vulnerabilities, they managed to get to the root certificate files and its key (it is not reported whether it is password-protected or not), which are signed by certificates of all branches of the Russian Post.
The main method through which it was possible to get access is SQL injections. In the author's post there are examples of the implementation of queries, without the text of the queries, which as a result lead to data leakage. Under the threat of leakage in addition to key information, also personal data of a huge number of citizens who receive a pension in the post offices.
The only thing that separates the researchers from the possibility of communicating the details of this find to the people responsible for this, they say, is the stubbornness of the secretariat, which cuts off all contact attempts.
')
I know that on the Post of the Russian Federation there are technically competent people in the field of IT who, for certain, read Habr. Maybe there will see this post?
Source: https://habr.com/ru/post/246615/
All Articles