Polish quiz website fails cybersecurity test, leaving 60K users exposed


Quizme, a Polish entertainment platform popular among educational institutions for creating and sharing quizzes, has inadvertently exposed the sensitive data of over 60,000 users, including easily crackable passwords. Users may be at risk of account takeovers and phishing attacks.

On June 25th, 2024, the Cybernews research team discovered an open web directory belonging to Quizme.pl, a website where Polish users create and share quizzes, tests, puzzles, and other games.

It had directory listing enabled, which means that outsiders could list and access all the subfolders and files using a simple web browser. No authentication was required to access the data.

Inside the directory was a treasure trove for cybercriminals. The website leaked database backups, filled with the email addresses, IP addresses, linked Facebook accounts, usernames, and passwords of over 60,000 users.

leaked-data-quizme

The website used SHA-1, a deprecated hashing algorithm, to protect passwords. It’s no longer secure, and threat actors can crack such hashes quickly using a modern computer with a consumer graphics card.

The leaked backups also included any quizzes the users solved, the answers they chose, and other activity logs. The website made new backups daily. Therefore, the exposed information was no older than 24 hours.

“Quizzes and responses reveal sensitive information about participants and their preferences. Potential attackers can construct profiles using this data and use them in spearphishing attacks, sending personalized malicious messages,” our researchers warned.

Moreover, the website exposed its private key for the SSL certificate, which is used to encrypt communications with users. This would allow a man-in-the-middle to intercept and decrypt any traffic with the website.

cert-quizme

According to Similarweb data, Quizme.pl has around one million users each month and is among the top 1000 websites in Poland. The website's privacy policy and other documents do not reveal the owner.

After the responsible disclosure, the website’s support team quickly resolved the issue.

“The issue was due to an old configuration error on our side and carelessness or oversight by the developer, but there were definitely no bad intentions,” the website support team explained. “We are unable to estimate the scope of the issue. We are a very small website that has no resources to do it.”

They also told Cybernews they’ve updated the SSL certificate and will provide information for the registered affected users about the issue. Quizme urges users to change their passwords.

Leaked passwords put other accounts at risk

It’s not clear if malicious actors discovered this leak first. If so, they may attempt to take over accounts, analyze user activity to find additional sensitive information, perform credential-stuffing attacks, or use the leaked email addresses for phishing and spam.

“Large databases with combinations of IP addresses, email addresses, and usernames are goldmines for threat actors seeking to dox individuals. This platform’s educational focus amplifies the risks for teachers and students, as it contains quizzes based on specific school textbook chapters. A significant portion of leaked information is likely to pertain to minors,” Cybernews researchers believe.

Researchers recommend that users change the exposed passwords immediately, ensure they’re not reused on any other platform, and enable multi-factor authentication if available. Cybercriminals often try reusing leaked passwords and email addresses to gain unauthorized access to multiple accounts. They may also send unexpected emails urging users to click a link, open an attachment, or provide additional personal information.

For website owners, maintaining proper access controls is crucial to ensure the integrity of the security infrastructure.

“When a leak occurs, it’s important to swiftly remove public access to sensitive backups, reset leaked credentials and certificates, revoke compromised private keys, and inform affected users, providing clear guidance,” our researchers concluded.

The website's weak password-hashing algorithms suggest additional security audits are needed to thoroughly review and protect the systems.