Bad form: FBI server sending fake emails taken offline and fixed, no data impacted | ZDNet


Image: Dzelat/Shutterstock

The FBI has placed the blame for a weekend fake email incident on a misconfiguration in its Law Enforcement Enterprise Portal (LEEP) that allowed emails to be sent from the ic.fbi.gov domain.

“LEEP is FBI IT infrastructure used to communicate with our state and local law enforcement partners,” it said.

“While the illegitimate email originated from an FBI operated server, that server was dedicated to pushing notifications for LEEP and was not part of the FBI’s corporate email service. No actor was able to access or compromise any data or PII on the FBI’s network.”

The FBI said it initially took the “impacted hardware” quickly offline, and later said it quickly remediated the “software vulnerability” as well as confirmed its network integrity.

Spamhaus said it saw two waves of email being sent.

Brain Krebs reported the sender of the emails found they were able to send emails because the FBI was generating a client-side  one-time code to sign up to a new account on LEEP, and it was sent along with an email subject and body as a POST request to the FBI’s servers. Manipulating the request parameters enabled the emails to be sent, and a script was used to automate the sending process.

It would seem all the so-called misconfigurations and software vulnerabilities were in the way the FBI had its portal built, with the cherry on top being how it exposed and piped user input to a mail server. Pretty embarrassing and worthy of a dozen facepalms, at least.

For all the latest Technology News Click Here 

 For the latest news and updates, follow us on Google News

Read original article here

Denial of responsibility! TechNewsBoy.com is an automatic aggregator around the global media. All the content are available free on Internet. We have just arranged it in one platform for educational purpose only. In each content, the hyperlink to the primary source is specified. All trademarks belong to their rightful owners, all materials to their authors. If you are the owner of the content and do not want us to publish your materials on our website, please contact us by email – [email protected]. The content will be deleted within 24 hours.