housekeeping issues with house.gov

This story begins a few months back when CTRLBOX Researchers working along with twitter user @s7nsins had discovered a open and unauthenticated server from house.gov, at the time it turned into a nightmare to get them to shut it from public access, it seems they didnt teach them a single thing, they have leaked different data this time.

A Automated monitoring system developed by CTRLBOX has detected a house.gov website source code, database exports and server administrator credentials. The data left online has as well exposed users who use and registered with particular house.gov subdomains leaving email addresses, full names, IP addresses online.

first opendirectory discovered by @s7nsins

First lets go back to the original discovery all them months ago when researcher @s7nsins discovered the opendirectory that belonged to house.gov and had much similar files as the one discovered recently. After attempted contact was made by another researcher who was comfortable in contacting the US gov about a leaky opendirectroy they got told first by the people answering the phone @ congress that they had no idea what to do or who to contact and that they should email the IT team, after this various more calls was made and the right people got notified and finally took it serious, so it had seemed, that was until last week when the CTRLBOX Open directory monitor discovered that congress was once again leaking data over yet another opendirectory.

sub directory with database and source code exports

The three subdomains leaked by congress are joyce.house.gov, long.house.gov, neal.house.gov, then there is also configuration files for carter.house.gov. Configuration files within all sub domains file systems show that they are connecting to a shared database as the root user with a common password "d4ab4b6dd0277c4d969fd31eb3ef189d70e22b32e4efc2ab" and that this appears repeated for each installation of drupal being used.

root user and password recycled
root user and password recycled

Going into the data exposed, the first incident most likely was a greater overall risk to congress as an intranet database ended up being exposed leaving 813 users details with their names, emails and passwords, the intranet exposure also over 1,000 PDF files that was for internal usage only.

The second screw up had left various SQL databases exposed and the mentioned site configuration files for each sub domain showing that they are using a shared database under the root user with a shared common recycled password. The databases left about 80 users per each domain with a total unique count of 89 different congress based account credentials exposed.

housekeeping issues with house.gov
Share this