Updated A website produced for international consultancy Deloitte to quiz individuals on knowledge of hacking techniques has actually shown itself susceptible to hacking.
The site, found at the insecure non-HTTPS URL
http://deloittehackeriq.com/, makes its YAML configuration file openly available. And within the file, in cleartext, is the username and password for the site’s mySQL database.
The website welcomes visitors to “Evaluate Your Hacker IQ” by entering a username. It then postures a series of several option questions about techniques employed by hackers to get business details. The test does not cover the possibility of publicly exposed passwords.
The mistake was spotted on Wednesday by Tillie Kottmann, a Switzerland-based IT consultant and developer who utilizes the deal with deletescape The website was removed on Wednesday.
— Tillie Kottmann (@antiproprietary )November 4,2020
deloittehackeriq.com domain was registered by Tank Design, a Massachusetts-based digital marketing firm, in 2015 and the site includes a 2015 Deloitte Advancement LLC copyright notification.
Kottmann informed The Register that the last devote to its.git repo remained in 2017 and stated it’s not clear how actively the site is being used. The site was very first recorded by the Internet Archive’s Wayback Machine in 2018
More intensifying the vulnerability of the website, the test is hosted on Ubuntu Linux 14.04, which stopped getting security patches in April last year and is possibly susceptible to 11 known flaws
Kottmann said, “Maybe it deserves pointing out that a great deal of websites, including some other bigger corporations have.git [repositories] exposed on various domains.”
The Register asked Deloitte and Tank Style to comment, but we’ve not heard back. ®
Updated to include
In a statement sent out to The Register after this story was released, a representative for Deloitte distanced the firm from the now-removed hacking contest website.
” We know an incident that involved unapproved access to an interactive game/website which was developed for a cybersecurity event in 2015,” the company representative stated.
The website has actually not been actively used since 2015 and has actually now been taken down.