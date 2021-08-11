Sensitive systems and data for the U.S. Department of State could have been exposed by a third party development workstation running the eXide software (https://exist-db.org/exist/apps/eXide/index.html), according to researchers for the hacking crew Sakura Samurai (https://sakurasamurai.pro/). According to a report in Forbes (https://www.forbes.com/sites/paulfroberts/2021/08/05/new-vuln-disclosure-policy-pays-dividends-for-federal-agencies/?sh=59a0cdc125be), the researchers took advantage of a new State Department Vulnerability Disclosure Program (https://www.state.gov/vulnerability-disclosure-policy/) to look for security flaws in one of 8 wild-carded State Department domains included in the program. Using automated tools to do reconnaissance on one of the subdomains the State Department had included in its VDP, researcher Jackson Henry discovered a vulnerable workstation running the open source, web based eXide IDE. It was linked to a third party doing work for the State Department and contained a number of serious security holes including Cross Site Scripting (XSS), Remote File Inclusion (RFI), and Server Side Request Forgery (SSRF) flaws. All are powerful weapons in the hands of a sophisticated cyber adversary.