Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
hackeroneEuropolH1:719631
HistoryOct 22, 2019 - 3:15 a.m.

U.S. Dept Of Defense: [Partial] SSN & [PII] exposed through iPERMs Presentation Slide.

2019-10-2203:15:50
europol
hackerone.com
84
JSON

Hello @deptofdefense, when performing reconnaissance, I came across a presentation slide that displayed live data since the data is blocked out & is formatted with XXX-XX with the last 4 digits.

The exposed data contains the following: UPC, Division/Brigade, Rank, Soldier Name, Last 4 digits of SSN, FRR (Financial Record Reviews), PRR (Personal Record Reviews).

Here are a few exposed users:
████████, XXX-XX-█████████
████████, XXX-XX-█████

The link that is hosting the Presentation Slide: https://████████/wp-content/uploads/2017/12/Introduction-to-iPERMS-Slides.pptx & on Slide 25, there is the exposed data.

The remediation/mitigation for this security flaw is the removal of the data/file & I have set the severity to Critical as it is exposing sensitive [PII] which could lead to a data breach.

Impact

The sensitive information can be used to authenticate through various web-portals especially with the last 4 digits & full name with rank.

JSON