Pierluigi Paganini
July 05, 2016
The security researcher from Government Lab Mohammed Adel has found a vulnerability in the UK Defence Gateway, an application only for the staff use, that could be exploited by attackers to gain access to the system as a staff member .
Mohammed Adel told me that he exploited the vulnerability in a kind of Filtering Bypass attack, He was able to get into the UK Defence Gateway without using the @MOD.uk email, a condition implemented to allow the authentication only the internal staff.
The hacker was able to view the material used by the UK Defence to train its personnel, he accessed the private lessons that the Defence Gateway delivers to its staff.
Adel was also able to access other information, including news and the internal announcements.
This Defence Gateway is a platform used by all of the army units, it is also used to allow the Defence UK staff can communicate privately .
Below image the researcher shared to proof the existence of the bug.
The Government Lab rated the bug 6.2 over 10.
I reached the hacker for a comment:
“The severity of this Vulnerability is allowed me to see the sensitive information, including training army data that could allow attackers to study the tactic British Defence. A hacker can exploit the vulnerability to to access the information and sell it to threat actors.”
