“Debug mode” in popular webdev tool Laravel exposes credentials for hundreds of websites

guest · Oct 19, 2019

“Debug mode” in popular webdev tool exposes credentials for hundreds of websites
October 17, 2019
https://www.comparitech.com/blog/vpn-privacy/debug-mode-exposes-credentials/

Hundreds of websites made using a popular web development tool have exposed sensitive data to anyone with a web browser.
The tool, a PHP framework called Laravel, includes a “debug mode” that lets developers identify errors and misconfigurations before websites go live. The problem is that many developers fail to disable the debug mode after going live, exposing backend website details like database locations, passwords, secret keys, and other sensitive info

Comparitech worked with security researchers Bob Diachenko and Sebastien Kaul to uncover websites made vulnerable through Laravel’s debug mode and notify the owners of the exposures starting on October 11. They found 768 websites with active Laravel sessions in all, and he estimates 10 to 20 percent of them contain sensitive configurations. Most of the websites are for charities and small businesses.

To be clear, this is not a breach of user data; no user records were leaked. This exposure instead gave hackers an attack vector to potentially hijack mail servers, explore source code structure, find weak points, re-use passwords on other systems, and mount other types of attacks.
Click to expand...

Log in or Sign up

“Debug mode” in popular webdev tool Laravel exposes credentials for hundreds of websites

guest Guest

Log in or Sign up

“Debug mode” in popular webdev tool Laravel exposes credentials for hundreds of websites

guest Guest

Useful Searches