#Fail : A 1.9 Million Record Terrorist Watchlist Was Available Online Without A Password

A secret terrorist watchlist containing 1.9 million records was discovered online by Security Researcher Volodymyr “Bob” Diachenko at Comparitech:

On July 19, 2021 I discovered a terrorist watchlist containing 1.9 million records online without a password or any other authentication required to access it.

The watchlist came from the Terrorist Screening Center, a multi-agency group administered by the FBI. The TSC maintains the country’s no-fly list, which is a subset of the larger watchlist. A typical record in the list contains a full name, citizenship, gender, date of birth, passport number, no-fly indicator, and more.

I immediately reported it to Department of Homeland Security officials, who acknowledged the incident and thanked me for my work. The DHS did not provide any further official comment, though.

And:

Each record in the watchlist contained some or all of the following info:

  • Full name
  • TSC watchlist ID
  • Citizenship
  • Gender
  • Date of birth
  • Passport number
  • Country of issuance
  • No-fly indicator

The data also included a couple of categorical fields that I was unable to identify, including “tag,” “nomination type,” and “selectee indicator”.

That is not trivial in the slightest. Saumitra Das, CTO and Cofounder, Blue Hexagon had this to say:

 “Exposure of records through misconfiguration is a major issue whether we are talking about public cloud misconfigurations or of any service exposed to the Internet. Organizations needs to continuously monitor all resources deployed in their enterprise to minimize risks of such exposure. Elasticsearch clusters, S3 buckets, Databases have all been left open by organizations as well as their third-party suppliers and vendors that have resulted in data breach. Such records can be sold on the Dark Web or used for further attacks specially if credentials are involved.”

Hopefully whomever owns this data should take the advice of Ms. Das so that this never happens again.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.

%d bloggers like this: