Flaw in Columbia, S.C., website exposed city passwords
The official website of the city of Columbia, South Carolina, had a flaw in its search tool that allowed people to see passwords used to access municipal databases and email servers, an internet security researcher discovered this week.
Keyword searches for terms not found on the city’s website turned up a results page meant only for IT administrators that contained credentials that could’ve been used to access internal networks, steal sensitive resident and employee information, or commandeer the city government’s email system.
The flaw, which has since been fixed, was first reported Thursday by CNET. Invalid searches on the city’s website now return a simple error page reading “Whoops, looks like something went wrong.”
Columbia officials did not respond to requests for comment on the search flaw. But Arif Khan, the independent researcher who discovered it, told StateScoop he did not find any evidence the city’s network had been improperly breached or abused. Khan wrote that he stumbled upon the flaw in Columbia’s website using open-source intelligence techniques while looking for this kind of vulnerability “en masse.” He said he did not find the flaw on any other government website.
Columbia Mayor Stephen Benjamin, who also serves as president of the U.S. Conference of Mayors, has said previously that his administration has taken steps to improve its cybersecurity posture.
“We’ve built in controls at the city to protect taxpayers and rate payers,” he said at a 2017 conference, though it is unclear what controls the mayor was referring to. He said at the same event that the city also benefits from its proximity to computer science researchers at the University of South Carolina.
While it appears no malicious actor found or took advantage of the flaw in Columbia’s website that Khan discovered, state and local governments continue to face heightened rates of cyberattacks. Research published earlier this year by Symantec found that ransomware attacks against enterprise-level targets, a category that includes governments, increased 12 percent in 2018. Meanwhile, survey results published last October by Deloitte and the National Association of State Chief Information Officers shows that most states commit less than 3 percent of their overall IT budgets to cybersecurity, much lower rates than those reported by large federal agencies or corporations.
There is bipartisan legislation pending in the U.S. Senate that would create a federal grant program for state, local and tribal governments to invest further in their cybersecurity technology and staffing.