Beads of sweat must have surely run down the face of one hacker who, while trying to score a bug bounty, inadvertently infiltrated an “internal US Department of Defence website that requires special credentials to access.”
The unnamed hacker used exploited a pair of vulnerabilities to gain access to the US Army network via an unpatched website and a misconfigured proxy. The starting point, goarmy.com, paved the way to an open proxy and into the normally access-controlled internal DoD server.
Uncle Sam’s techies quickly shored up their defenses after the security shortcomings were reported via the Hack the Army bug bounty that ran from November to December 21, 2016, we’re told.
“They got there through an open proxy, meaning the routing wasn’t shut down the way it should have been, and the researcher, without even knowing it, was able to get to this internal network, because there was a vulnerability with the proxy, and with the actual system,” Hack the Army staffers explained.
“On its own, neither vulnerability is particularly interesting, but when you pair them together, it’s actually very serious.”
The Army remediation team and the Army Cyber Protection Brigade patched the bugs breaking the attack chain and preventing exploits. We’re told that the first bug submitted to the HackerOne-run-bounty – one of 118 exploited vulnerabilities reported in all – was discovered five minutes after the program was launched. The agency paid out $100,000 in bug bounty rewards.
Of the 371 participants, 25 were government employees, including 17 military bods. The US Army indicated it may be launching another bounty or similar service due to the success of its November venture.
There is no word on whether the chained vector was used to breach the army previously. We’ve asked the Pentagon for comment.