French international transport company… makes private data public!
I recently modified the security scripts that are analyzing attacks against my home network and decided to see if any of the systems that were brute forcing me had websites. I wrote a small port scanner in Python and let it rip… several had HTTPD running. I browsed to one in particular, which happened to be a French shipping/transport company. There were hundreds of order information PDFs and packing slips scattered throughout the site. Complete with customer names, addresses, what they had ordered, etc. If their customers new about their lack of security, I’m sure they would go out of business.
Being the nice guy that I am… I didn’t retaliate with an attack of my own. Because I realized that the owner’s of this website had no clue what was going on. The site appeared to be an unauthorized web server that contained company information. My guess is, someone in the shipping department thought they were technically inclined and wanted to track the shipments by uploading the slips to a centralized server, which appeared to have been bought and hosted outside of the company. To bad the system administrators forgot to secure such important content.
I discovered their official company website… and contacted the info and abuse staff to let them know that they may need to re-evaluate their security policies. I wrote the message in English, but translated it into French as well. For starters, they have business sensitive information in public view. Not to mention the fact that this particular server is probably a nest from which attacks on other servers are staged.