Punjab Information Technology Board was found responsible for exposing the privacy of thousands of Pakistani individuals.
The security bug was mainly due to an amateurish directory permissions, that allowed the directory listing on one of the PITB servers that houses tons of information. This basically allowed easy and simple access to private and sensitive data of thousands of citizens.
Those with very basic computer knowledge could access the exposed directory. They could access and download/dump dozens of GBs of the private data that included personal information such as:
- CNIC numbers
- Front and Back of CNICs
- Scanned copies of all the educational degrees
- work experience,
- CVs and more.
The bug has now been taken care of and it bears mentioning that we are running this story after the server has been secured.
PITB said that their servers are usually secure and are routinely monitored for any flaws. This very specific incident, however, remained unattended due to a recent server upgrade, PITB said.
We have seen this happening before where organizations — mainly due to poor planning — exposed private and sensitive data of their users, students or job applicants.
At a time when digital identities are getting more and more valuable and crucial for anyone, exposing private data of anyone can ultimately become a nightmare for individuals.
Moreover, organizations like PITB, that handle and maintain records of hundreds of thousands of Pakistanis, should be overly concerned about such small things that may lead to leaking of data into the wrong hands.
Thanks Uzair Farooqui for the tip.
When you relay on students and non-professional people to build corporate level product, this happens. That’s why a professional charges you tons of money. Experience counts, only education with ‘Network Security’ subject does not.
Shh! You’ll upset the greatest IT person of Pakistan Mr Umar Saif!
proclaimed IT LORD
this is like
ہمارا بیٹا 3 روپے میں 1000 ایس ایم ایس کرلیتا ہے
don’t agree with you, the greatest is not enough. he needs to engaged a experienced professional personale.
Aamir bhai I dont see any credits here. Lol ?
do you deserve the credit? after bashing me this bad?
You only give credit to people who are nice to you?
I was kidding and said this in a light mood.
ahhahah xD Hackers Everywhere :P I bet The Data is Dumped already :P
“This very specific incident, however, remained unattended due to a recent server upgrade.”
Directory permissions is a basic thing when putting files on server.
You hire amateur guys and then make lame excuses.
Most probably work of Internees
I even sent an email to PITB and tweeted Umer Saif but they didn’t respond
Does anybody have the dump? I think we need to make a lesson out of this one.
You want to get arrested? because thats how you get arrested :D
you want to be news again? This time for the wrong reasons :p
This issue was shared with them (Dr. Umer Saif) on 03-Aug-2017 and no action was taken till yesterday. Today it is fixed.
Nighmare! It’s literally the basics of publicly exposed machines with any sesotive data.
Do they have any type of monitoring on these servers at all? Would they be able to produce an estimate of amount of data exposed and downloaded? I doubt, unfortunately.
18000+ individuals data containing all sensitive information was openly available. It seemed to me like someone did it deliberately…
Only ITU data or tenant info also?
It was the data of job applicants who applied on various posts advertised by PITB recently
I see. Can you mention the vulnerable endpoint?
And is this the page? http://jobs.pitb.gov.pk/
I never applied, I’m safe :)
Deyo fyr kuriyan de number…
ambar ny sheedy nal ki kita c, yaad a na :D
saday naal hoya thoka…ghullt lumber dendi sanu :/
Actually no one is serious for privacy.
If they are, they must think positively about the servers that are already physically available to enemy countries.
And they have imposed their willing polices to us…
Did any one think about it???
Thanks for sharing.. I will try to contact PITB with a PPT on importance of personal data and its protection :P
But can somebody tell me what are they hosting? As far as I know, they are providing public/private cloud hosting. Does anybody know which organization’s data got compromised? Thanks!
While praying for a shaheed SSP, someone looks so happy to see his own name on the name plate
not a new news,knew this since July, they didn’t make the pages private trouble for the women particularly.
It was not just about the pages. It was about the documentation. CNIC pics, Educational records, work experience etc…
yes i know you could just change the url to access everything(pages containing the data), they didnt make anything private.
An open letter to Dr. #UmarSaif Instead of posting threats of legal action by govt. Make clear about your I.T system securities. news may be true or false. of course you can take legal action, but first, you hold huge sensitive data, assure us, whether is it save all the way. Coz stealing of sensitive can cause irreparable loss to innocent citizens. Regards Shahid Jamal Tubrazy, Cyber Security Consultant & Lawyer.