Critical security vulnerability on fl.ru

1. Prologue

Recently, the media increasingly began to appear motley headlines about various revelations: ranging from publicly available photos of celebrities, ending with opened personal mailboxes of major figures. What can we say about everyday work in any ordinary company, when an employee uses the same password to access absolutely all resources.

But today we will talk about a less bright event for the public, but at the same time much more resonant for those who, by the will of fate, worked and work on fl.ru.

2. Critical vulnerability in information security fl.ru

Immediately to the point. If you are in private correspondence with your interlocutor and think that no one but you two have access to this correspondence, then you will be right (at least the opposite has not yet been proved). But as soon as you attach a file with text content to the correspondence - be sure that it will get into the index of the Yandex search engine.

Maybe the above is not a bug at all, but a feature? Maybe I just understand little in open systems?
Decided to analyze possible bottlenecks.
')
To do this, I used the “safe transaction”, and if specifically, the three documents that are generated as a result of the conclusion of this transaction:

• Agreement
• Contract
• Technical task

No one will argue with me if I say that all 3 documents are strictly confidential. Especially the “technical task”, since the body of the document contains the personal information of the parties to the transaction, as well as the cost of the work.

Let's try to find out if you can use Yandex to gain access to technical specifications of a secure transaction. We take the keywords from this document: " Appendix No 1 to the OFFER FOR THE CONCLUSION of the CONTRACT " and add an operand localizing the search exclusively within the framework of the site fl.ru. As a result, the search query is obtained as follows: “Appendix No 1 to the OFFER FOR THE CONCLUSION of the CONTRACT site: fl.ru” . We start, we look, we enjoy.

If you wish, you can write a crawler that downloads the terms of reference of all secure transactions and calculates the total amount of transactions. I think this is only the beginning of the use of the “hole”.

3. Attempt to communicate with technical support

A separate point is worth noting my zealous attempts to bring the whole horror of the situation to technical support.


Not only was the support staff member too lazy to reproduce the error on his own, but he still insistently convinced me of what he himself, most likely, did not believe very readily.

4. Epilogue

I hope this fact will serve as a good lesson for employees at all levels of fl.ru: from testers and technical support to stakeholder. When your project becomes significant, it’s time to take care of information security.

I, in this whole story, felt like the main character in the film “The Fool”, who “had the most needs” and whom no one believed.

Good luck to all.