Microsoft has resolved a security lapse that exposed internal company files and credentials to the open internet.
The Azure storage server housed code, scripts and configuration files containing passwords, keys and credentials used by the Microsoft employees for accessing other internal databases and systems.
Yoleri told TechCrunch that the exposed data could potentially help malicious actors identify or access other places where Microsoft stores its internal files.
The researchers notified Microsoft of the security lapse on February 6, and Microsoft secured the spilling files on March 5.
Microsoft did not say if it had reset or changed any of the exposed internal credentials.
The Indian government has finally resolved a years-long cybersecurity issue that exposed reams of sensitive data about its citizens.
At fault was the Indian government’s cloud service, dubbed S3WaaS, which is billed as a “secure and scalable” system for building and hosting Indian government websites.
With evidence of ongoing exposures of private data, Majumder asked TechCrunch for help getting the remaining data secured.
Majumder said that some citizens’ sensitive data began spilling online long after he first disclosed the misconfiguration in 2022.
The exposed data, Majumder said, potentially puts citizens at risk of identity thefts and scams.
Documentation startup Mintlify says dozens of customers had GitHub tokens exposed in a data breach at the start of the month and publicly disclosed last week.
Mintlify helps developers create documentation for their software and source code by requesting access and tapping directly into the customer’s GitHub source code repositories.
These private tokens allow GitHub users to share their account access with third parties apps, including companies like Mintlify.
“The targets of this attack were GitHub tokens of our users,” Wang told TechCrunch by email.
We are currently working with GitHub and our customers to uncover if any of the other tokens were used by the attacker,” Wang said.
A bug in an Irish government website that exposed COVID-19 vaccination records took two years to publicly discloseThe Irish government fixed a vulnerability two years ago in its national COVID-19 vaccination portal that exposed the vaccination records of around a million residents.
But details of the vulnerability weren’t revealed until this week after attempts to coordinate public disclosure with the government agency stalled and ended.
Security researcher Aaron Costello said he discovered the vulnerability in the COVID-19 vaccination portal run by the Irish Health Service Executive (HSE) in December 2021, a year after mass vaccinations against COVID-19 began in Ireland.
Costello’s public disclosure marks more than two years since first reporting the vulnerability.
His blog post included a multi-year timeline revealing a back and forth between various government departments that were unwilling to take claim to public disclosure.
India’s federal election commission has fixed flaws on its website that exposed data related to citizens’ requests for information related to their voting eligibility status, local political candidates and parties, and technical details about electronic voting machines.
The bugs allowed access to the RTI requests, download transaction receipts, and responses shared by the officials without properly authenticating user logins.
Some of the exposed data included the RTI filing date, the questions asked, the applicant’s name and mailing address, the applicant’s poverty line status, and RTI responses.
The bugs were fixed earlier this week following CERT-In’s intervention.
The Election Commission of India did not respond to a request for comment.
The Asian technology and internet company YX International manufactures cellular networking equipment and provides SMS text message routing services.
YX International claims to send five million SMS text messages daily.
But codes sent over SMS text messages are not as secure as stronger forms of 2FA, such as an app-based code generator, since SMS text messages are prone to interception or exposure — or in this case, leaking from a database onto the open web.
TechCrunch found in the exposed database sets of internal email addresses and corresponding passwords associated with YX International, and alerted the company to the spilling database.
YX International would not say for how long the database was exposed.
An Indian state government has fixed security issues impacting its website that exposed the sensitive documents and personal information of millions of residents.
The bugs existed on the Rajasthan government website related to Jan Aadhaar, a state program to provide a single identifier to families and individuals in the state to access welfare schemes.
One of the bugs allowed anyone to access personal documents and information with knowledge of a registrant’s phone number.
The state’s Jan Aadhaar portal, which launched in 2019, says it has more than 78 million individual registrants and 20 million families.
The portal aims to offer “One Number, One Card, One Identity” to residents in the northern state of Rajasthan for accessing state government welfare schemes.
Mercedes-Benz accidentally exposed a trove of internal data after leaving a private key online that gave “unrestricted access” to the company’s source code, according to the security research firm that discovered it.
The London-based cybersecurity company said it discovered a Mercedes employee’s authentication token in a public GitHub repository during a routine internet scan in January.
According to Mittal, this token — an alternative to using a password for authenticating to GitHub — could grant anyone full access to Mercedes’s GitHub Enterprise Server, thus allowing the download of the company’s private source code repositories.
“The GitHub token gave ‘unrestricted’ and ‘unmonitored’ access to the entire source code hosted at the internal GitHub Enterprise Server,” Mittal explained in a report shared by TechCrunch.
It’s not known if anyone else besides Mittal discovered the exposed key, which was published in late-September 2023.
In a phone conversation on Thursday, Hyundai Motor India spokesperson Siddhartha P. Saikia said the company would provide a statement.
The bug exposed the customer’s personal information through the web links Hyundai Motor India shared with customers over WhatsApp after receiving their vehicles for servicing at an authorized service station.
TechCrunch shared the details of the bug with Hyundai Motor India on the same day, and requested Hyundai Motor India fix the bug within seven days due to its simplicity and severity.
Established in 1996, Hyundai Motor India is among the top three carmakers in the country, alongside Maruti Suzuki and Tata Motors.
Hyundai Motor India has a network of over 1,500 service stations in the country.
Database management giant MongoDB says it’s investigating a security incident that has resulted in the exposure of some information about customers.
In an update published on Sunday, MongoDB said does not believe hackers accessed any customer data stored in MongoDB Atlas, the company’s hosted database offering.
For one customer, this included system logs, MongoDB said.
System logs can include information about the running of a database or its underlying system.
MongoDB declined to say how many customers may be affected by the compromise of its corporate systems.
