Security

OWASP server blunder exposes decade of resumes

Irony alerts: Open Web Application Security Project Foundation suffers lapse


A misconfigured MediaWiki web server allowed digital snoops to access members' resumes containing their personal details at the Open Web Application Security Project (OWASP) Foundation.

According to the nonprofit, which works to improve web app security, it became aware of the misconfig and subsequent data breach in late February after receiving "a few" report requests.

"If you were an OWASP member from 2006 to around 2014 and provided your resume as part of joining OWASP, we advise assuming your resume was part of this breach," OWASP said in a Good Friday notification posted on its website.

"We recognize the significance of this breach, especially considering the OWASP Foundation's emphasis on cybersecurity," it added.

The resumes contained names, email addresses, phone numbers, physical addresses, "and other personally identifiable information," presumably people's places of employment, we're told. 

While the good news is that these resumes are at least a decade old in most cases, that's still a lot of individuals' details — OWASP boasts "tens of thousands of members" across more than 250 chapters worldwide.

Presumably, at least some of these people still have the same identifiers that they did back in 2014, which can now be used for identity fraud and other nefarious purposes if they end up in the wrong hands or in a dark web database dump.

If you have the same email address or phone number, for example, OWASP urges caution when answering or receiving unsolicited emails and calls. These could lead to phishing attempts and financial crimes.

According to the open source community, it no longer collects resumes as part of its membership application process and now uses two-factor authentication to protect member data.

To make sure this doesn't happen again, OWASP said it disabled directory browsing and checked the web server for additional configuration and security issues, and removed all of the resumes from the site.

Additionally, the foundation purged the CloudFlare caches, and requested that the accessed data be removed from the web archive.

While OWASP is attempting to notify affected individuals via email, the age of the resumes, between 10 and 18 years, makes it more difficult.

"Regardless, we will contact the email addresses discovered during our investigations," it pledged. ®

Send us news
5 Comments

AWS unveils cloud security IR service for a mere $7K a month

Tap into the infinite scalability... of pricing

Open source maintainers are drowning in junk bug reports written by AI

Python security developer-in-residence decries use of bots that 'cannot understand code'

T-Mobile US CSO: Spies jumped from one telco to another in a way 'I've not seen in my career'

Security chief talks to El Reg as Feds urge everyone to use encrypted chat

China's Salt Typhoon recorded top American officials' calls, says White House

No word yet on who was snooped on. Any bets?

PoC exploit chains Mitel MiCollab 0-day, auth-bypass bug to access sensitive files

Still unpatched 100+ days later, watchTowr says

AMD secure VM tech undone by DRAM meddling

Boffins devise BadRAM attack to pilfer secrets from SEV-SNP encrypted memory

US names Chinese national it alleges was behind 2020 attack on Sophos firewalls

Also sanctions his employer – an outfit called Sichuan Silence linked to Ragnarok ransomware

How Chinese insiders are stealing data scooped up by President Xi's national surveillance system

'It's a double-edged sword,' security researchers tell The Reg

Crooks stole AWS credentials from misconfigured sites then kept them in open S3 bucket

ShinyHunters-linked heist thought to have been ongoing since March

Telco security is a dumpster fire and everyone's getting burned

The politics of cybersecurity are too important to be left to the politicians

Micropatchers share 1-instruction fix for NTLM hash leak flaw in Windows 7+

Microsoft's OS sure loves throwing your creds at remote systems

RansomHub claims to net data hat-trick against Bologna FC

Crooks say they have stolen sensitive files on managers and players