Indian trade association exposes sensitive data


The Federation of Indian Chamber of Commerce and Industry (FICCI) exposed an important file, risking indirect financial loss and reputational damage, as well as legal and compliance problems.

The Cybernews research team has come across a publicly hosted environment file (.env) containing sensitive data such as credentials for databases. It turns out that the file belongs to FICCI – a century-old Indian trade organization.

With an indirect membership of over 250,000 companies, it refers to itself as 'the voice of India's business and industry.'

The file in question has been open to the public for over three months – it was first indexed by IoT search engines on August 25th, 2023, and was closed on November 16th, 2023. Namely, the file contained:

  • Mail SMTP credentials: The exposure of STMP (Simple Mail Transfer Protocol) credentials can pose significant risks to FICCI as attackers can exploit them in phishing or malware distribution.
  • SQL Database credentials: Since the database doesn’t have public access, it can only be accessed from the network. However, if the database would have been open to the public, attackers could have used the credentials to access the company’s data
  • API endpoint, client secret, and ID: Exposing API client secrets and IDs poses significant risks, compromising data integrity and confidentiality and potentially leading to data breaches.
  • CRM (Customer Relationship Management) token API: Attackers with access to this can potentially interact with the CRM system, which is extremely worrying if the system is connected to many businesses and contains sensitive customer data.

Researchers noted that, while exposed .env files usually pose a significant risk to organizations due to their sensitive nature, in this case, home security measures were in place. This means that, despite containing credentials for databases, the latter were protected from public access.

“If malicious actors discover the exposed environment file at FICCI, the trade association may face indirect financial losses, reputational damage, legal and compliance problems, unauthorized access to confidential information, and potential subsequent data breaches and manipulation,” stated Cybernews researchers.

Given the extensive scope of FICCI's activities and its vast network of partners, members, and stakeholders, the organization presents a lucrative target for cybercriminals.

Cybernews has contacted FICCI for an on-the-record comment and will update the article upon receiving more information.

Exposed .env files happen to be quite a common security issue, as the Cybernews research team's investigations have shown over the years. Here is some advice on how to deal with them:

  • Render the .env file inaccessible using any type of authorization or authentication.
  • Investigate access logs to identify whether any threat actors have accessed the exposed sensitive information.
  • Change the compromised SMTP credentials to prevent unauthorized access to email services.
  • Immediately revoke and regenerate the API client secret and ID to invalidate the exposed credentials.
  • Use encryption and access controls to keep API secrets safe.
  • Regularly rotate secrets to reduce the exposure window.
  • Check API usage for irregularities and suspicious activities.