The OWASP Foundation has disclosed a data breach from server misconfiguration that exposed members’ personally identifiable information.
Launched in September 2001, the Open Worldwide Application Security Project (OWASP) aims to improve software security by providing guidance and training on developing, purchasing, and maintaining trustworthy applications. It regularly organizes training and educational conferences worldwide and provides free resources and tools to help organizations achieve application security.
OWASP server misconfiguration data breach leaked members’ PII
On March 29, 2024, OWASP said it discovered a cloud misconfiguration on its old Wiki web server in late February after receiving several support requests.
Upon investigation, it determined that the server misconfiguration data breach affected members who joined between 2006 and 2014 and submitted their resumes as a membership requirement.
“OWASP collected resumes as part of the early membership process, whereby members were required in the 2006 to 2014 era to show a connection to the OWASP community. OWASP no longer collects resumes as part of the membership process,” the organization said.
The foundation advised members who uploaded their resumes when joining the community to consider them breached and take precautions.
OWASP said the server misconfiguration data breach exposed members’ names, email addresses, phone numbers, physical addresses, and other personally identifiable information included on the resumes.
Although the exposed information was likely outdated, OWASP said it would notify reachable victims that their personal information was involved in a data breach. So far, the number of individuals impacted by the OWASP data breach remains undisclosed.
The irony was not lost on OWASP when disclosing the data breach on X on April Fools’ Day. However, the foundation assured the current members that their information was secure.
“No joke, we did have a data breach in late March involving the resumes of our earliest members,” OWASP X’ed. “Rest assured, all current membership data remains secure. We recognize the unfortunate irony here and are determined to make it our last breach.”
OWASP said it had removed the leaked information from the internet, so no immediate action was necessary for impacted individuals whose details were outdated.
However, individuals whose leaked data was up-to-date should be cautious when answering unsolicited emails, mail, or phone calls, as threat actors might attempt to solicit sensitive details such as login credentials, two-factor authentication codes, or credit card numbers, resulting in subsequent data breaches or identity theft.
“To have a web application data breach is a bit of egg on the face of OWASP as a whole, but we aren’t the kind of folks that wonder why,” said Jason Kent, Hacker In Residence at Cequence Security. “We get to the heart of it, fix it, and make sure everyone knows what happened and how to stop it.”
OWASP fixes the embarrassing server misconfiguration
OWASP said it fixed the server misconfiguration by disabling directory browsing, reviewing the web server and Media Wiki configuration for other security issues, and removing members’ resumes.
The foundation also purged the CloudFlare cache to prevent further access and requested that the information be removed from the Web Archive.
OWASP also said it employs “modern cloud-based security best practices such as two-factor authentication, minimal access, and resiliency” to protect current members’ personal information from inadvertent exposure.
Similarly, it promised to review its data retention policies to prevent similar embarrassing data breaches in the future.
“Directory Traversal needs to be disabled (it is by default on most systems now), and data retention policies are extremely important for a reason,” Kent added. “If they had purged all data when they moved to the new systems a couple of years ago, this wouldn’t have happened.”
The OWASP server misconfiguration faux pas demonstrates that no organization is immune to data breaches and underscores the importance of maintaining visibility into the company’s assets.
“If it can happen to an organization of volunteers that are wanting the world to be a safer place, it can happen to your organization of security professionals dedicated to your environment being a safer place,” Kent concluded.
