Australia’s football governing body, Football Australia, has leaked secret keys potentially opening access to 127 buckets of data, including ticket buyers’ personal data and players’ contracts and documents.
In terms of data security, Football Australia scored an “own goal.” The organization left plain-text Amazon Web Services (AWS) keys – including Secret keys – hardcoded into the HTML page of its subdomain, the Cybernews research team has discovered.
AWS keys serve as an electronic code to communicate with the cloud platform. Meanwhile, the Secret key is a crucial aspect of AWS keys, which serves as a means to access and control an organization’s AWS services.
According to the team, the plain-text keys that Football Australia left accessible enabled access to a staggering 127 digital storage containers. For example, one publicly accessible bucket contained personal details.
“Moreover, one bucket did not even require authentication and contained personal information, contracts, and documents of football players,” researchers claim.
Football Australia fixed the issue after the team informed the organization about it. The organization's official statement regarding the incident says that Football Australia is aware of the issue and it will keep the “stakeholders updated as we establish more details.”
“Football Australia is aware of reports of a possible data breach and is investigating the matter as a priority,” the organization said.
According to the team, the exposed data includes:
- Personal identifiable information of players
- Ticket purchase information
- Internal infrastructure details
- Source code of the digital infrastructure
- Scripts of the digital infrastructure
“While we cannot confirm the total number of the affected individuals, as it would require downloading the entire dataset, contradicting our responsible disclosure policies, we estimate that every customer or fan of Australian football was affected,” researchers claim.
The team believes that the most likely reason behind the leak is human error, as a developer likely inadvertently left a reference hidden in a script accessible to the public. Nevertheless, the mistake represents a critical data exposure incident.
The team could not pinpoint the exact amount of data exposed in the leak, as that would require violating strict whitehat researcher principles. However, reverse engineering indicates that the exposed secret could unlock 126 buckets of data.
Moreover, one of the buckets was left completely unprotected, which means it was left public and accessible without any keys. The public digital storage container contained football players’ passports and contracts.
“The exposed data, including contracts and documents of football players, poses a severe threat as attackers could exploit this information for identity theft, fraud, or even blackmail, emphasizing the urgent need for improved security practices and measures to safeguard sensitive data,” the team said.
Football Australia is Australia’s main governing body of soccer, futsal, and beach soccer. The organization oversees the men’s, women’s, youth, Paralympic, beach, and futsal national teams in Australia, the national coaching programs, and the state governing bodies for the sport.
Updated on February 1st [07:30 AM GTM] with a statement from Football Australia.
Your email address will not be published. Required fields are markedmarked