Detailed technical analysis for the Lebanese General Security’s passport renewal platform

On January 27, the Lebanese General Security launched a new platform (gs-appt.gov.lb) for booking passport renewal appointments to solve the problem of overcrowding in application centers. After a quick inspection, SMEX discovered that the platform is lacking data security and privacy measures, as well as transparency, and that it’s powered by Hani Saliba Foundation, an NGO belonging to a candidate running for elections.

The platform’s developer responded to our thread in a post on Reddit explaining that the General Security’s platform is safe, confirming that it has the SSL certificate. The platform currently runs an SSL certificate, but it was missing on Thursday when we wrote our initial thread

As promised, we are publishing the detailed technical analysis of the (gs-appt.gov.lb) platform. 

Our tech team detected a configuration leak on the IP on which we suspect the gs-appt.gov.lb is running now. This configuration leak was found on a development environment on which the developers of the application test out the app before making it public and accessible and fully functional. It’s a bad practice to put development environments publicly as it might represent a security risk. The configuration leak contains Database configurations such as database name, username and password and some sensitive information. It’s important to note the danger of deploying development code on publicly available servers, as important information concerning the platform might be revealed.

We are publishing the technical details for General Security or any other public or private entity to embed privacy, data protection, and security by design. 

We also urge all ministries, departments, official institutions, and private companies to ensure that privacy, data security, and transparency are at the forefront of any platform or website, public or private, that collects and processes personal data, particularly on a large scale, and that all of this is spelled out in the Privacy and Terms of Use policy.

Website: https://gs-appt.gov.lb

Hosting: LibanTelecom aka Ogero 

DDoS Protection: Available through CloudFlare

DNS: CloudFlare

Configuration leak: Yes

This “.env” file leak is solved in the publicly available platform (production environment), but the configuration leak has already happened and is currently on the internet. We urge General Security to change the database username and password immediately if it matches the one that has been leaked through the .env configuration file.

Notice: We obstructed sensitive information in the above picture in order to protect Lebanese citizens from any potential harm or breach.

Web Firewall: Palo Alto

Palo Alto Firewall proof of availability

We found this page which confirms the availability of an intrusion detection system based on Palo Alto (the image shown is typically one of the return messages by Palo Alto Firewall). This measure ensures intrusion prevention and the protection of sensitive information.

Debugging disabled: No

The debugging option, which is a development option, was activated when the application was still in its development phase. During this stage, a developer identifies and finds bugs in order to fix or resolve them. This option wasn’t disabled on the public website at the moment of capture, and we cannot accurately estimate the risk, but such information could be revealing to malicious actors, thus jeopardizing the privacy of Lebanese citizens, especially since the platform collects personal information.

“Debug mode” is not deactivated on the publicly available website,  at the time of detection. As well as  the version of Laravel (PHP framework to build websites) disclosure and PHP version disclosure.

TLS: Yes, Grade B

SSL tests results

SMEX previously tweeted about the unsecure connectivity of the GS passport website. After our technical check we conclude that the certificate is put in place through CloudFlare services. The certificate in place supports all the TLS versions including the latest TLS 1.3. But, the certificate should stop supporting TLS 1.0 and TLS 1.1 as they are considered to be deprecated and exploitable. Although we understand the need for a large set of older devices compatibility, we strongly recommend disabling TLS 1.0 and TLS 1.1.

Results could be found here https://observatory.mozilla.org/analyze/gs-appt.gov.lb

We Are Ready To Help With New Apps And Websites Looking To Fortify Their Privacy And Security, And We Will – In Partnership With Friedrich Naumann Foundation (FNF) In Lebanon And Syria – Expand Our Work On Serving As A Watchdog Over Citizens’ Digital Data On Lebanon’s Government Platforms.

This page is available in a different language العربية (Arabic) هذه الصفحة متوفرة بلغة مختلفة

SMEX

SMEX is a registered Lebanese NGO that works to advance self-regulating information societies in the Middle East and North Africa.