Meldingsapp Verbeterdebuurt lekte gegevens anonieme melders
De app Verbeterdebuurt, waarmee gebruikers allerlei zaken bij hun gemeente kunnen melden, lekte de gegevens van zowel anonieme als niet-anonieme melders. Dat ontdekte beveiligingsonderzoeker Jan van Kampen. Meldingen die in de app worden gedaan zijn voor iedereen zichtbaar. In het geval van een anonieme melding wordt hierbij de gebruikersnaam "Anonieme Buurtverbeteraar" weergegeven.
De api waar de app gebruik van maakt bleek echter ook het e-mailadres van de anonieme melder mee te sturen, dat door elke gebruiker kon worden gezien. Aan de hand van het e-mailadres zou de identiteit van de melder kunnen worden achterhaald. Van Kampen waarschuwde de applicatieontwikkelaar, wat in eerste instantie niets opleverde. Nadat hij via zijn gemeente melding van het probleem maakte rolde de ontwikkelaar een fix uit en meldde het datalek bij de Autoriteit Persoonsgegevens.
Aangezien de e-mailadressen van anonieme melders zo eenvoudig waren te vinden besloot de onderzoeker verder naar de applicatie te kijken en ontdekte dat er nog veel meer persoonlijke informatie van melders zichtbaar was. Het ging om telefoonnummers, adresgegevens en notities van melders. Deze informatie zou volgens Verbeterdebuurt alleen naar de gemeente worden gestuurd, maar bleek voor iedereen zichtbaar te zijn. Wederom meldde Van Kampen het datalek, waarna de ontwikkelaar het probleem verhielp.
Reacties (7)
Je verwacht het niet bij de overheid he.
Want alles moet digitaal en de privacy is gewaarborgd. Ofzo.
Want alles moet digitaal en de privacy is gewaarborgd. Ofzo.
Door Anoniem: Je verwacht het niet bij de overheid he.
Want alles moet digitaal en de privacy is gewaarborgd. Ofzo.
Want alles moet digitaal en de privacy is gewaarborgd. Ofzo.
Mag ik vragen hoie je erbij komt dat dit een overheidstoepassing is? :D
Door Anoniem:Mag ik vragen hoie je erbij komt dat dit een overheidstoepassing is? :D
''Deze informatie zou volgens Verbeterdebuurt alleen naar de gemeente worden gestuurd''...de overheid doet er dus wel wat mee,ongeacht of ze ontwikkelaar zijn.
Door Anoniem: Je verwacht het niet bij de overheid he.
Want alles moet digitaal en de privacy is gewaarborgd. Ofzo.
Want alles moet digitaal en de privacy is gewaarborgd. Ofzo.
Na wat zoeken op het internet:
https://www.digitalepioniers.nl/projecten/Verbeterdebuurt-nl/139/index.html
Niet echt overheid, maar eerder een privaat initialtief.
Het viel me trouwens op dat ik geen informatie over de organisatie achter Verterdebuurt op de site van Verbeterdebuurt kon vinden.
Ze laten dus wel meer steken vallen, lijkt het.
Wat kom je tegen op de verbeter de buurt website (dynamic link) met Retire.JS:
angularjs 1.2.0rc1 Found in https://ajax.googleapis.com/ajax/libs/angularjs/1.2.0rc1/angular-route.min.js<br>Vulnerability info:
Medium XSS may be triggered in AngularJS applications that sanitize user-controlled HTML snippets before passing them to JQLite methods like JQLite.prepend, JQLite.after, JQLite.append, JQLite.replaceWith, JQLite.append, new JQLite and angular.element. CVE-2020-7676
Medium angular.js prior to 1.8.0 allows cross site scripting. The regex-based input HTML replacement may turn sanitized code into unsanitized one. CVE-2020-7676
Medium Prototype pollution 12
Medium The attribute usemap can be used as a security exploit
Medium Universal CSP bypass via add-on in Firefox 12
Medium DOS in $sanitize 12
Low XSS in $sanitize in Safari/Firefox
angularjs 1.2.7 Found in https://ajax.googleapis.com/ajax/libs/angularjs/1.2.7/angular-resource.min.js<br>Vulnerability info:
Medium XSS may be triggered in AngularJS applications that sanitize user-controlled HTML snippets before passing them to JQLite methods like JQLite.prepend, JQLite.after, JQLite.append, JQLite.replaceWith, JQLite.append, new JQLite and angular.element. CVE-2020-7676
Medium angular.js prior to 1.8.0 allows cross site scripting. The regex-based input HTML replacement may turn sanitized code into unsanitized one. CVE-2020-7676
Medium Prototype pollution 12
Medium The attribute usemap can be used as a security exploit
Medium Universal CSP bypass via add-on in Firefox 12
Medium DOS in $sanitize 12
Low XSS in $sanitize in Safari/Firefox
angularjs 1.5.0 Found in https://ajax.googleapis.com/ajax/libs/angularjs/1.5.0/angular-cookies.min.js<br>Vulnerability info:
Medium XSS may be triggered in AngularJS applications that sanitize user-controlled HTML snippets before passing them to JQLite methods like JQLite.prepend, JQLite.after, JQLite.append, JQLite.replaceWith, JQLite.append, new JQLite and angular.element. CVE-2020-7676
Medium angular.js prior to 1.8.0 allows cross site scripting. The regex-based input HTML replacement may turn sanitized code into unsanitized one. CVE-2020-7676
Medium Prototype pollution 12
Low XSS through SVG if enableSvg is set 12
Medium Universal CSP bypass via add-on in Firefox 12
Medium DOS in $sanitize 12
Low XSS in $sanitize in Safari/Firefox
angularjs 1.5.0 Found in https://ajax.googleapis.com/ajax/libs/angularjs/1.5.0/angular.js<br>Vulnerability info:
Medium XSS may be triggered in AngularJS applications that sanitize user-controlled HTML snippets before passing them to JQLite methods like JQLite.prepend, JQLite.after, JQLite.append, JQLite.replaceWith, JQLite.append, new JQLite and angular.element. CVE-2020-7676
Medium angular.js prior to 1.8.0 allows cross site scripting. The regex-based input HTML replacement may turn sanitized code into unsanitized one. CVE-2020-7676
Medium Prototype pollution 12
Low XSS through SVG if enableSvg is set 12
Medium Universal CSP bypass via add-on in Firefox 12
Medium DOS in $sanitize 12
Low XSS in $sanitize in Safari/Firefox
bootstrap 3.3.5 Found in https://maxcdn.bootstrapcdn.com/bootstrap/3.3.5/js/bootstrap.min.js<br>Vulnerability info:
High 28236 XSS in data-template, data-content and data-title properties of tooltip/popover CVE-2019-8331
Medium 20184 XSS in data-target property of scrollspy CVE-2018-14041
Medium 20184 XSS in collapse data-parent attribute CVE-2018-14040
Medium 20184 XSS in data-container property of tooltip CVE-2018-14042
En hier 728 verbetertips voor de website:https://webhint.io/scanner/853f131b-131f-4870-960c-4f632a9d6e92
waarvan akte,
luntrus
angularjs 1.2.0rc1 Found in https://ajax.googleapis.com/ajax/libs/angularjs/1.2.0rc1/angular-route.min.js<br>Vulnerability info:
Medium XSS may be triggered in AngularJS applications that sanitize user-controlled HTML snippets before passing them to JQLite methods like JQLite.prepend, JQLite.after, JQLite.append, JQLite.replaceWith, JQLite.append, new JQLite and angular.element. CVE-2020-7676
Medium angular.js prior to 1.8.0 allows cross site scripting. The regex-based input HTML replacement may turn sanitized code into unsanitized one. CVE-2020-7676
Medium Prototype pollution 12
Medium The attribute usemap can be used as a security exploit
Medium Universal CSP bypass via add-on in Firefox 12
Medium DOS in $sanitize 12
Low XSS in $sanitize in Safari/Firefox
angularjs 1.2.7 Found in https://ajax.googleapis.com/ajax/libs/angularjs/1.2.7/angular-resource.min.js<br>Vulnerability info:
Medium XSS may be triggered in AngularJS applications that sanitize user-controlled HTML snippets before passing them to JQLite methods like JQLite.prepend, JQLite.after, JQLite.append, JQLite.replaceWith, JQLite.append, new JQLite and angular.element. CVE-2020-7676
Medium angular.js prior to 1.8.0 allows cross site scripting. The regex-based input HTML replacement may turn sanitized code into unsanitized one. CVE-2020-7676
Medium Prototype pollution 12
Medium The attribute usemap can be used as a security exploit
Medium Universal CSP bypass via add-on in Firefox 12
Medium DOS in $sanitize 12
Low XSS in $sanitize in Safari/Firefox
angularjs 1.5.0 Found in https://ajax.googleapis.com/ajax/libs/angularjs/1.5.0/angular-cookies.min.js<br>Vulnerability info:
Medium XSS may be triggered in AngularJS applications that sanitize user-controlled HTML snippets before passing them to JQLite methods like JQLite.prepend, JQLite.after, JQLite.append, JQLite.replaceWith, JQLite.append, new JQLite and angular.element. CVE-2020-7676
Medium angular.js prior to 1.8.0 allows cross site scripting. The regex-based input HTML replacement may turn sanitized code into unsanitized one. CVE-2020-7676
Medium Prototype pollution 12
Low XSS through SVG if enableSvg is set 12
Medium Universal CSP bypass via add-on in Firefox 12
Medium DOS in $sanitize 12
Low XSS in $sanitize in Safari/Firefox
angularjs 1.5.0 Found in https://ajax.googleapis.com/ajax/libs/angularjs/1.5.0/angular.js<br>Vulnerability info:
Medium XSS may be triggered in AngularJS applications that sanitize user-controlled HTML snippets before passing them to JQLite methods like JQLite.prepend, JQLite.after, JQLite.append, JQLite.replaceWith, JQLite.append, new JQLite and angular.element. CVE-2020-7676
Medium angular.js prior to 1.8.0 allows cross site scripting. The regex-based input HTML replacement may turn sanitized code into unsanitized one. CVE-2020-7676
Medium Prototype pollution 12
Low XSS through SVG if enableSvg is set 12
Medium Universal CSP bypass via add-on in Firefox 12
Medium DOS in $sanitize 12
Low XSS in $sanitize in Safari/Firefox
bootstrap 3.3.5 Found in https://maxcdn.bootstrapcdn.com/bootstrap/3.3.5/js/bootstrap.min.js<br>Vulnerability info:
High 28236 XSS in data-template, data-content and data-title properties of tooltip/popover CVE-2019-8331
Medium 20184 XSS in data-target property of scrollspy CVE-2018-14041
Medium 20184 XSS in collapse data-parent attribute CVE-2018-14040
Medium 20184 XSS in data-container property of tooltip CVE-2018-14042
En hier 728 verbetertips voor de website:https://webhint.io/scanner/853f131b-131f-4870-960c-4f632a9d6e92
luntrus
Door quikfit:
''Deze informatie zou volgens Verbeterdebuurt alleen naar de gemeente worden gestuurd''...de overheid doet er dus wel wat mee,ongeacht of ze ontwikkelaar zijn.
Door Anoniem:Mag ik vragen hoie je erbij komt dat dit een overheidstoepassing is? :D
''Deze informatie zou volgens Verbeterdebuurt alleen naar de gemeente worden gestuurd''...de overheid doet er dus wel wat mee,ongeacht of ze ontwikkelaar zijn.
Jaja dus alles "waar de overheid wel wat mee doet" dat is "een overheidstoepassing" en daar kunnen opmerkingen als
"Je verwacht het niet bij de overheid he" aan geplakt worden?
Door Anoniem: Wat kom je tegen op de verbeter de buurt website (dynamic link) met Retire.JS:
angularjs 1.2.0rc1 Found in https://ajax.googleapis.com/ajax/libs/angularjs/1.2.0rc1/angular-route.min.js<br>Vulnerability info:
Medium XSS may be triggered in AngularJS applications that sanitize user-controlled HTML snippets before passing them to JQLite methods like JQLite.prepend, JQLite.after, JQLite.append, JQLite.replaceWith, JQLite.append, new JQLite and angular.element. CVE-2020-7676
Medium angular.js prior to 1.8.0 allows cross site scripting. The regex-based input HTML replacement may turn sanitized code into unsanitized one. CVE-2020-7676
Medium Prototype pollution 12
Medium The attribute usemap can be used as a security exploit
Medium Universal CSP bypass via add-on in Firefox 12
Medium DOS in $sanitize 12
Low XSS in $sanitize in Safari/Firefox
angularjs 1.2.7 Found in https://ajax.googleapis.com/ajax/libs/angularjs/1.2.7/angular-resource.min.js<br>Vulnerability info:
Medium XSS may be triggered in AngularJS applications that sanitize user-controlled HTML snippets before passing them to JQLite methods like JQLite.prepend, JQLite.after, JQLite.append, JQLite.replaceWith, JQLite.append, new JQLite and angular.element. CVE-2020-7676
Medium angular.js prior to 1.8.0 allows cross site scripting. The regex-based input HTML replacement may turn sanitized code into unsanitized one. CVE-2020-7676
Medium Prototype pollution 12
Medium The attribute usemap can be used as a security exploit
Medium Universal CSP bypass via add-on in Firefox 12
Medium DOS in $sanitize 12
Low XSS in $sanitize in Safari/Firefox
angularjs 1.5.0 Found in https://ajax.googleapis.com/ajax/libs/angularjs/1.5.0/angular-cookies.min.js<br>Vulnerability info:
Medium XSS may be triggered in AngularJS applications that sanitize user-controlled HTML snippets before passing them to JQLite methods like JQLite.prepend, JQLite.after, JQLite.append, JQLite.replaceWith, JQLite.append, new JQLite and angular.element. CVE-2020-7676
Medium angular.js prior to 1.8.0 allows cross site scripting. The regex-based input HTML replacement may turn sanitized code into unsanitized one. CVE-2020-7676
Medium Prototype pollution 12
Low XSS through SVG if enableSvg is set 12
Medium Universal CSP bypass via add-on in Firefox 12
Medium DOS in $sanitize 12
Low XSS in $sanitize in Safari/Firefox
angularjs 1.5.0 Found in https://ajax.googleapis.com/ajax/libs/angularjs/1.5.0/angular.js<br>Vulnerability info:
Medium XSS may be triggered in AngularJS applications that sanitize user-controlled HTML snippets before passing them to JQLite methods like JQLite.prepend, JQLite.after, JQLite.append, JQLite.replaceWith, JQLite.append, new JQLite and angular.element. CVE-2020-7676
Medium angular.js prior to 1.8.0 allows cross site scripting. The regex-based input HTML replacement may turn sanitized code into unsanitized one. CVE-2020-7676
Medium Prototype pollution 12
Low XSS through SVG if enableSvg is set 12
Medium Universal CSP bypass via add-on in Firefox 12
Medium DOS in $sanitize 12
Low XSS in $sanitize in Safari/Firefox
bootstrap 3.3.5 Found in https://maxcdn.bootstrapcdn.com/bootstrap/3.3.5/js/bootstrap.min.js<br>Vulnerability info:
High 28236 XSS in data-template, data-content and data-title properties of tooltip/popover CVE-2019-8331
Medium 20184 XSS in data-target property of scrollspy CVE-2018-14041
Medium 20184 XSS in collapse data-parent attribute CVE-2018-14040
Medium 20184 XSS in data-container property of tooltip CVE-2018-14042
En hier 728 verbetertips voor de website:https://webhint.io/scanner/853f131b-131f-4870-960c-4f632a9d6e92
waarvan akte,
luntrus
Welk 'handig' neefje of nichtje van welke minister heeft dit in elkaar geknutseld?angularjs 1.2.0rc1 Found in https://ajax.googleapis.com/ajax/libs/angularjs/1.2.0rc1/angular-route.min.js<br>Vulnerability info:
Medium XSS may be triggered in AngularJS applications that sanitize user-controlled HTML snippets before passing them to JQLite methods like JQLite.prepend, JQLite.after, JQLite.append, JQLite.replaceWith, JQLite.append, new JQLite and angular.element. CVE-2020-7676
Medium angular.js prior to 1.8.0 allows cross site scripting. The regex-based input HTML replacement may turn sanitized code into unsanitized one. CVE-2020-7676
Medium Prototype pollution 12
Medium The attribute usemap can be used as a security exploit
Medium Universal CSP bypass via add-on in Firefox 12
Medium DOS in $sanitize 12
Low XSS in $sanitize in Safari/Firefox
angularjs 1.2.7 Found in https://ajax.googleapis.com/ajax/libs/angularjs/1.2.7/angular-resource.min.js<br>Vulnerability info:
Medium XSS may be triggered in AngularJS applications that sanitize user-controlled HTML snippets before passing them to JQLite methods like JQLite.prepend, JQLite.after, JQLite.append, JQLite.replaceWith, JQLite.append, new JQLite and angular.element. CVE-2020-7676
Medium angular.js prior to 1.8.0 allows cross site scripting. The regex-based input HTML replacement may turn sanitized code into unsanitized one. CVE-2020-7676
Medium Prototype pollution 12
Medium The attribute usemap can be used as a security exploit
Medium Universal CSP bypass via add-on in Firefox 12
Medium DOS in $sanitize 12
Low XSS in $sanitize in Safari/Firefox
angularjs 1.5.0 Found in https://ajax.googleapis.com/ajax/libs/angularjs/1.5.0/angular-cookies.min.js<br>Vulnerability info:
Medium XSS may be triggered in AngularJS applications that sanitize user-controlled HTML snippets before passing them to JQLite methods like JQLite.prepend, JQLite.after, JQLite.append, JQLite.replaceWith, JQLite.append, new JQLite and angular.element. CVE-2020-7676
Medium angular.js prior to 1.8.0 allows cross site scripting. The regex-based input HTML replacement may turn sanitized code into unsanitized one. CVE-2020-7676
Medium Prototype pollution 12
Low XSS through SVG if enableSvg is set 12
Medium Universal CSP bypass via add-on in Firefox 12
Medium DOS in $sanitize 12
Low XSS in $sanitize in Safari/Firefox
angularjs 1.5.0 Found in https://ajax.googleapis.com/ajax/libs/angularjs/1.5.0/angular.js<br>Vulnerability info:
Medium XSS may be triggered in AngularJS applications that sanitize user-controlled HTML snippets before passing them to JQLite methods like JQLite.prepend, JQLite.after, JQLite.append, JQLite.replaceWith, JQLite.append, new JQLite and angular.element. CVE-2020-7676
Medium angular.js prior to 1.8.0 allows cross site scripting. The regex-based input HTML replacement may turn sanitized code into unsanitized one. CVE-2020-7676
Medium Prototype pollution 12
Low XSS through SVG if enableSvg is set 12
Medium Universal CSP bypass via add-on in Firefox 12
Medium DOS in $sanitize 12
Low XSS in $sanitize in Safari/Firefox
bootstrap 3.3.5 Found in https://maxcdn.bootstrapcdn.com/bootstrap/3.3.5/js/bootstrap.min.js<br>Vulnerability info:
High 28236 XSS in data-template, data-content and data-title properties of tooltip/popover CVE-2019-8331
Medium 20184 XSS in data-target property of scrollspy CVE-2018-14041
Medium 20184 XSS in collapse data-parent attribute CVE-2018-14040
Medium 20184 XSS in data-container property of tooltip CVE-2018-14042
En hier 728 verbetertips voor de website:https://webhint.io/scanner/853f131b-131f-4870-960c-4f632a9d6e92
luntrus
Reageren
Deze posting is gelocked. Reageren is niet meer mogelijk.
Junior DevOps Engineer
Certified Secure is op zoek naar een Junior DevOps Engineer. Deze functie is een stuk interessanter dan de term doet vermoeden! Om jou als potentiële nieuwe collega meteen te laten zien wat we doen hebben we speciaal voor jou een selectie gemaakt van een aantal leuke security challenges. Are you ready for a challenge?
Cybersecurity Trainer / Streamer
Toe aan een nieuwe nieuwe job waarmee je het verschil maakt? In de Certified Secure trainingen laat je deelnemers zien hoe actuele kwetsbaarheden structureel verholpen worden. Ook werk je actief mee aan de ontwikkeling van onze gamified security challenges. Bij het maken van challenges kom je telkens nieuwe technieken tegen, van Flutter tot GraphQL, van Elastic Search tot Kubernetes.
