An internal code repo used by New York State�s IT office was exposed online
Zack Whittaker@zackwhittaker / 1:00 PM CDT"June 24, 2021
Comment
Governor Cuomo Under fire As He Faces Multiple Sexual harassment Accusations
Image Credits: matthew Cavanaugh (opens in a new window)/ Getty Images
A code monument used by the New York say government�s IT department was left exposed on the internet, allowing anyone to access the projects inside, some of which contained secret keys and passwords associated with state government systems.
The exposed GitLab server was discovered on Saturday by Dubai-based SpiderSilk, a cybersecurity company credited with discovering data spills at Samsung, Clearview AI and MoviePass.
Organizations utilisation GitLab to collaboratively develop and store their source code � as wellspring as the secret keys, tokens and passwords needed for the projects to work � on servers that they control. But the exposed server was accessible from the net and configured so that anyone from outside the organization could create a user account and log in unimpeded, SpiderSilk�s foreman security officer Mossab Hussein told TechCrunch.
When TechCrunch visited the GitLab server, the login page showed it was accepting new user accounts. It�s not known exactly how long the GitLab server was accessible in this way, but historic records from Shodan, a search engine for exposed devices and databases, shows the GitLab was first detected on the internet on march 18.
SpiderSilk shared several screenshots showing that the GitLab server contained secret keys and passwords associated with servers and databases belonging to New York State�s office of info technology Services. Fearing the exposed server could be maliciously accessed or tampered with, the startup asked for help in disclosing the surety lapse to the state.
TechCrunch alerted the New York governor�s office to the exposure a short time after the server was found. Several emails to the governor�s office with details of the exposed GitLab server were opened but were not responded to. The server went offline on Monday afternoon.
Scot Reif, a spokesperson for New York State�s Office of information Technology Services, said the server was �a examine box lot up by a vendor, there is no data whatsoever, and it has already been decommissioned by ITS.� (Reif declared his reaction �on background� and attributable to a state official, which would require both parties agree to the terms in advance, but we are printing the reply as we were not given the opportunity to pooh-pooh the terms.)
When asked, Reif would not say who the vendor was or if the passwords on the server were changed. Several projects on the server were marked �prod,� or common shorthand for �production,� a term for servers that are actively used. Reif also would not state if the incident was reported to the state�s Attorney General�s office. When reached, a spokesperson for the attorney General did not notice by press time.
TechCrunch understands the vendor is Indotronix-Avani, a New York-based companionship with offices in India, and owned by adventure capital firm Nigama Ventures. Several screenshots present some of the GitLab projects were modified by a contrive coach at Indotronix-Avani. The vendor�s website touts New York state on its website, along with other government customers, including the U.S. say Department and the U.S. department of Defense.
Indotronix-Avani representative brand Edmonds did not answer to requests for comment.
