A website created for global consultancy Deloitte to quiz people on knowledge of hacking tactics has proven itself vulnerable to hacking.
The site, found at the insecure non-HTTPS URL
http://deloittehackeriq.com/, makes its YAML configuration file publicly accessible. And within the file, in cleartext, is the username and password for the site’s mySQL database.
The site invites visitors to “Test Your Hacker IQ” by entering a username. It then poses a series of multiple choice questions about techniques employed by hackers to obtain corporate information. The quiz doesn’t cover the possibility of publicly exposed passwords.
The blunder was spotted on Wednesday by Tillie Kottmann, a Switzerland-based IT consultant and developer who uses the handle “deletescape.” The website was taken down in Wednesday.
— Tillie Kottmann 💛🤍💜🖤 (@antiproprietary) November 4, 2020
deloittehackeriq.com domain was registered by Tank Design, a Massachusetts-based digital marketing firm, in 2015 and the site includes a 2015 Deloitte Development LLC copyright notice.
Kottmann told The Register that the last commit to its .git repo was in 2017 and said it’s not clear how actively the site is being used. The site was first captured by the Internet Archive’s Wayback Machine in 2018.
Further compounding the vulnerability of the site, the quiz is hosted on Ubuntu Linux 14.04, which stopped receiving security patches in April last year and is potentially vulnerable to 11 known flaws.
Kottmann said, “Maybe it’s worth mentioning that a whole lot of sites, including some other bigger corporations have .git [repositories] exposed on various domains.”
The Register asked Deloitte and Tank Design to comment, but we’ve not heard back. ®