The website of Sen. Bong Go was hacked on the same day the senator announced his withdrawal from the presidential race. Pinoy GrayHats, a Filipino cybersecurity group, informed MB Technews that a team member found a severe vulnerability on the senator's website. After a few hours, we got an update that personally identifiable information (PII) of volunteers for Go's presidential bid could be exposed and that the site was defaced.
Pinoy GrayHats, however, claimed that the hack was not a targeted attack. The site https://kuyabonggo.ph appeared to have multiple vulnerabilities in the automated passive scanning performed by the group. After finding the security vulnerabilities, the group then exploited the misconfigurations in the website, conducted SQL injection attacks, and installed a backdoor to have complete control of the site.
A member of the group also informed MB Technews that they have no plans of exfiltrating the site's contents. They even put measures to secure the server and its contents from other hackers who might try to download the sensitive information.
"We fixed the broken access control issue that allows any user to bypass and access endpoints even without proper authorization." A member of Pinoy GrayHats told MB Technews.
"While we did not specifically target Sen. Bong Go, we believe that he is the right person to listen to our concern once we show him that we are doing this for good." the group, said. "We hope that, as we show the good senator the dangers of the vulnerable site in exposing personal and sensitive data, the government would support cybersecurity professionals by pushing vulnerability disclosure programs for government websites and servers."
Early this year, MB Technews reported the call of Filipino cybersecurity professionals for companies and government agencies to have a functional Vulnerability Disclosure Program or VDP.
According to Bugcrowd, a crowdsourced security platform, a VDP is like a neighborhood watch. It encourages people to report something if they see suspicious activity. For instance, if you saw your neighbor's front door open, you would want to let them know about it. But if you don't have your neighbor's contact information, how would you let them know? Vulnerability disclosure programs provide a way to report potential security risks formally and consistently and give a channel to know that someone got the message.
Here in the Philippines, when whitehat hackers and IT professionals discover vulnerabilities on a website or server, it's almost certain that they would not find someone where they could send the report. With the rate whitehat and other cybersecurity enthusiasts find vulnerabilities in Philippine servers, it is crucial to have a channel to report them.
As of this writing, the defaced website is still up at https://kuyabonggo.ph/assets/ and https://kuyabonggo.ph