A wide-open database was spilling details on Oklahoma police and at least one Oklahoma bank, including images that exposed physical security details on multiple Department of Public Safety buildings, including locks, RFID access panels, and controller boards.
Security researcher Chris Vickery revealed the vulnerability on Tuesday.
He told The Daily Dot that the misconfigured CouchDB database was accessible online for at least a week.
The Daily Dot says it reached out to Oklahoma’s statewide law enforcement agency, the Oklahoma Highway Patrol, to give notice of the breach, which specifically affected the building housing Troop A. MidFirst Bank of Oklahoma City was also affected.
Vickery says that on Saturday, he spoke to a vice president at Automation Integrated, which is the systems integrator that manages the database.
Vickery said that the way the VP handled the call is an example of “excellent incident response”:
The guy didn’t try to call me a hacker, he didn’t try to claim that it was a fake database filled with dummy-data, and he didn’t try to deflect responsibility onto another company. What he did do was fix the issue promptly, verify with the original reporter that the issue was fixed, and he appreciated the fact that someone would go out of their way to make sure an issue like this was taken care of.
(As opposed to the type of response too often seen.)
Vickery had initially contacted an Automated Integration technician, telling him or her that he’d found a CouchDB implementation that required no username or password to access.
He also informed the tech that the database appeared to contain “an alarming amount of internal company files,” including:
- Photographs of security mechanisms (e.g. locks, RFID access panels, and controller boards) from within protected Oklahoma DPS buildings, and
- Database entries containing, among other things, details on the make and model, location, warranty coverage, and even whether or not the unit was still functional.
The tech gave Vickery an email to send details, so he sent some photos, including those of an Oklahoma Highway Patrol building, a collection of surveillance camera stills, and one image taken from within a bank vault.
Within hours, the VP gave Vickery a call, telling him that the hole had been closed and staying on the phone while Vickery verified that he could no longer get into the database.
He also told Vickery that the company would be informing its clients.
The Daily Dot reached out to Oklahoma Highway Patrol about the breach and says that an official responded with disbelief and insisted that “the reporter did not know what he was talking about.”
MidFirst Bank of Oklahoma City told the news outlet that it would respond to the press inquiry “shortly.”