Underfl0w's infosec corner

Disobey, Museokortti & NCSC-FI

traficom Mar 3, 2023

On the 17th and 18th of February "The Nordic security event" Disobey was held! I was lucky enough to get a last-minute ticket (Thanks Antti!) and participate for the first time. And what a blast it was! interesting presentations, art and meeting friends old and new. Including some of the awesome folks working at NCSC-Fi! 🦙

In my post mitmproxy + wireguard + iPhone = quickly discovered insecure endpoints I wrote about discovering a misconfigured S3 bucket. Now let's look at it in more detail since the issue has been resolved.

Museokortti

Intercepting traffic was possible on most applications after installing the certificate on the iPhone. I am still surprised to see the lack of SSL pinning on most of the apps I had installed on my phone.  One of those applications was Museokortti, the Finnish museum card. Paying 76 € gives unlimited access to 350 museums around the country, one of the best 76 € I've spent!

Initially, nothing interesting stood out to me until I opened my profile page. The page has all the functionality one might expect. Displaying information including a profile photo stored in an S3 bucket. My first instinct whenever I see an S3 bucket is to see if directory listing is enabled, which turns out, it was.

The rest of the bucket contained photos uploaded by cardholders to identify themselves, and the name, address and phone number of some customers. The photos were stored in a way that does not directly link to a person.

This was reported to Museokortti on 11-01-2023, on which I received a response on the same day thanking me for the report and that work on a fix has started.

NCSC-FI

On the Saturday of Disobey, I got introduced to some great people working at NCSC-FI and their mascot. There I showed on my phone what I discovered and if this was something they assist with. Exchanged contact information and talked about all things security.

On Monday I forwarded the details to vulncoord@traficom.fi. Tuesday I got a response from the NCSC informing me of what actions they have taken and that they want to send me the above t-shirt as thanks for the report.

Then on the same day that the NCSC contacted Museokortti, the issue got resolved. Two days after an email was sent out informing everyone about the issue.

Working for the NCSC-FI 

We have all heard jokes about those working for the government, but I can guarantee that those working at NCSC-FI are hardworking and passionate! If you ever discover any vulns or data related to Finland, know that you've got friends over at vulncoord@traficom.fi

Tags

Jurjen de Jonge

Recommended for you