Responsible Disclosure
Multiple critical vulnerabilities have been discovered across various systems, exposing sensitive data and posing severe risks to the privacy, security, and integrity of organizations and individuals. These vulnerabilities include exposed credentials, API calls revealing PII, IDOR vulnerabilities, and proxy-chain attacks targeting Microsoft Exchange/OWA. The potential consequences encompass financial loss, reputational damage, regulatory non-compliance, and the compromise of millions of citizens' data. Reporting these findings and notifying the affected parties is crucial to ensure transparency, prompt mitigation, and compliance with legal and ethical responsibilities.
By promptly informing the relevant stakeholders, including the organization's leadership, IT security teams, and affected individuals, proactive measures can be taken to address the vulnerabilities, mitigate potential damages, and prevent further exploitation. Additionally, timely disclosure fosters trust and accountability, demonstrating the organization's commitment to addressing security concerns and protecting the interests of its stakeholders. This approach aligns with best practices in cybersecurity incident response and serves to uphold the organization's reputation and integrity in the face of these critical vulnerabilities.
Throughout 2023, responsible disclosure efforts have resulted in the identification and reporting of security vulnerabilities across various sectors. These include 10 disclosures within the banking and finance sector, 9 within government entities, 7 within the education sector, 3 within both the information technology, 6 within telecommunication sectors, and 1 each within the construction industry, new media sector, and transportation (airline). This comprehensive approach to responsible disclosure underscores the commitment to enhancing cybersecurity across diverse industries.
By engaging with stakeholders in these sectors, proactive steps have been taken to address vulnerabilities, mitigate potential risks, and contribute to the overall security of digital systems and data. The collaborative nature of these disclosures reflects a concerted effort to promote transparency, accountability, and continuous improvement in cybersecurity practices across multiple sectors.
10
BANKING & FINANCE
9
GOVERNMENT
7
EDUCATION
6
TELECOMMUNICATION
3
INFORMATION TECHNOLOGY
1
NEW MEDIA
1
CONTRUCTION
1
TRANSPORTATION
1
Uncovering valid Personally Identifiable Information (PII) of employees, gaining complete access to the company's payroll, attendance, and inventory through the misconfigured Enterprise Resource Planning (ERP) system.
This poses a critical risk to the company's operations, privacy, and security.
CONSTRUCTION
2
Valid Personally Identifiable Information (PII) of users, including Bank Verification Numbers (BVN) and other identifiers such as NIN data and voter cards, found in old servers used to store scanned copies of customer registration forms and other documents.
This presents a severe risk to the security and privacy of the individuals affected and the company's compliance with data protection regulations.
BANKING & FINANCE
3
Valid Personally Identifiable Information (PII) of users has been identified in the test environment of an application under development. Additionally,credentials to access dashboards and other sensitive areas have also been compromised.
This poses critical risk to the security and confidentiality of user data,and integrity of app
INFORMATION TECHNOLOGY
4
A directory traversal vulnerability was discovered, leading to the leakage of source codes to e-portals designed for staff, students, and other users. This resulted in the exposure of Personally Identifiable Information (PII) and other application access credentials.
This represents a critical risk to the security and confidentiality of sensitive data
EDUCATION
5
Data belonging to over 1,000 enrollees was exposed, along with the discovery of admin credentials. Additionally, the website has been compromised with a cross-site scripting (XSS) vulnerability.
This presents a severe risk to the privacy and security of the affected individuals, as well as the integrity of the system and its data.
EDUCATION
6
Credentials have been inadvertently exposed within the application settings and configuration files on GitHub, potentially compromising sensitive access information.
This poses a severe risk to the security and integrity of the application, as well as the confidentiality of any data accessible through these credentials.
BANKING & FINANCE
7
Live data used for analysis by a third-party analytic team has led to the exposure of transaction details and users' Personally Identifiable Information (PII) such as Bank Verification Numbers (BVN) and phone numbers.
This presents a critical risk to the privacy and security of the individuals affected, as well as potential regulatory non-compliance.
BANKING & FINANCE
8
The discovery of admin and super-admin credentials in a configuration file has resulted in the exposure of state Bureau of Public Procurement (BPP) data belonging to a state government.
This poses a critical risk to the security and confidentiality of sensitive government data
GOVERNMENT
9
Credentials have been inadvertently exposed within the application settings and configuration files on GitHub, allowing unauthorized access to the mail system of a state Ministry of Education.
This presents a severe risk to the security and confidentiality of the ministry's communication and potentially compromises sensitive information.
GOVERNMENT