The city of Columbia site had a security flaw in its search tool, according to independent security researchers. The flaw lets anyone view passwords for the website’s database and email protocol servers, creating a massive potential for abuse, researchers said on Thursday.
The vulnerability made it possible for someone to pull sensitive data out of the Columbia city government’s database, according to researchers. With access to the email protocol servers, an attacker could’ve also created spoof emails that looked like they’d come from the city government.
One bad search on the government website for South Carolina’s capital city could’ve exposed an entire database.
The flaw involved a misconfiguration of the site’s search function. If you searched for a term that couldn’t be found in the site’s database, the site would inadvertently serve up an error page meant only for administrators. The researchers was able to reproduce the security flaw through the site’s search function multiple times, including by searching name and phrases like “Bazinga.”
The researchers contacted city officials back in September but never heard back from them. They reached out again in October, they said, and another security researcher also publicly contacted the city government last November on Twitter.
Cyber-attackers often target city governments because they serve an important function and have access to sensitive information. Last November, the Justice Department brought charges against two Iranian hackers who caused more than $30 million in damages through ransomware attacks on cities like Newark, New Jersey, Atlanta and San Diego.
At the end of March, New York’s capital announced it was also hit with a hack. It’s not clear if any malicious actors found the vulnerability on the Columbia government’s website, but the exposure had the potential to cause a lot of harm. Researchers said that though the credentials were exposed, they didn’t try to access to government’s database because of ethical concerns.
The vulnerability was fixed after the security researchers reached out to city officials about the issue. The Columbia city government didn’t respond to a request for comment, but a representative confirmed…