A misconfiguration in one of the largest student network systems exposed exchange students in Poland to the risk of fraud and phishing attacks.
On June 16th, 2023, the Cybernews research team discovered multiple subdomains of the Polish Erasmus Student Network (ESN) website leaking files with sensitive credentials.
Malicious actors could have exploited the leaked credentials for multiple attack vectors. These include unauthorized access to websites with the ability to make changes, carrying out phishing campaigns, and executing lateral movement within other internal systems of ESN. The ultimate goal could be to hijack official communication channels for malicious purposes.
The leak could theoretically allow attackers to access an applicant’s data, as the affected subdomains, such as jobs.esn.pl, were used to apply for job offers. However, to exploit the database, the attackers would first need to gain a foothold in the victim’s network.
Cybernews contacted the ESN, and the network collaborated with us in fixing the misconfigurations to secure the affected websites. However, our investigation reveals that the sites were left vulnerable to malicious actors for almost two years.
ESN, a Europe-wide student organization, was created in 1987 to provide international exchange programs for students. 511 education institutions are partnered with ESN across 41 countries, offering services to more than 350,000 students.
What ESN data was exposed?
According to the team, the data was exposed via an exposed environment file (.env), which contained the credentials. An .env file serves as a set of instructions for computer programs, making it a critical component for any system.
Leaving these files open to anyone exposes critical data and provides threat actors with various attack options.
Additionally, researchers discovered an exposed WordPress application programming interface (API) on multiple endpoints, allowing for user enumeration.
- WordPress usernames
- Database host, port, and credentials
- Craft CMS security key
The Craft security key plays a crucial role in both decrypting and encrypting user cookies. Malicious actors could have used the leaked code to create custom-crafted cookies that the website would accept. This opens the door to session hijacking, potentially enabling the creation of an admin session or the decryption of cookies belonging to other users.
The leaked key could have been employed to decrypt entries stored in the database by plugins used on the site. This would have facilitated the easy decryption of additional credentials and sensitive information, amplifying the potential impact of the security breach.
Developers commonly use environment configuration files to manage settings for different deployment environments, such as development, testing, or production. This file should not be directly accessible to the public.
ESN failed to configure access control properly, leading to the exposure of the .env file to the public. The file exposed critical information, including cookie encryption keys and credentials for a database associated with job offerings by the organization.
A newsletter subscription form on the impacted subdomains suggests that the web application likely has access to an email server. To gain access to an email server, the web application could store SMTP credentials in its database.
If these credentials were compromised, an attacker could have potentially taken control of the email server. This could have enabled them to read communications sent through the server and send new, malicious communications, such as spam or phishing attempts.
Considering that the affected subdomains had features for user login and photo uploads, it implies that this sensitive information is actively used by the website and could be at risk of compromise. The extracted data could be used in credential-stuffing attacks on other websites.
Risks for exchange students
The implications of a data leak could have been far-reaching. ESN is a tempting target for malicious actors, as they can potentially acquire a staggering amount of personal data or distribute a high volume of targeted phishing emails.
Gaining access to the ESN’s Content Management System (CMS) and the database used by the websites would have provided significant opportunities for lateral movement to affect other Erasmus websites and internal systems.
Given Erasmus's role in providing housing for exchange students, attackers with access to the official communication channels could have potentially deceived participants into making payments, as students often transfer funds without physically inspecting the properties.
Unlike typical housing scams focusing on reservation fees, this scenario involves an additional layer of trust in the organization, enabling attackers to target higher-value rewards.
Threat actors may have falsely asserted that most accommodations are already reserved, leaving only limited options available. This tactic might have induced multiple payments within a short timeframe, taking advantage of the trust associated with the Erasmus platform.
More from Cybernews:
Subscribe to our newsletter