#misconfigurations — Public Fediverse posts
Live and recent posts from across the Fediverse tagged #misconfigurations, aggregated by home.social.
-
Found an unsecured Google Cloud storage bucket exposing PExL Participation Payment Receipts from Princeton University (Ivy League). Files contained student full names, handwritten signatures, UIDs, and payment amounts.
This was responsibly reported to the university's infosec email; however, I had problems because the email was blocked by administrator rules and I had to report it to people who have nothing to do with infosec.
I didn't get a response from anyone; it was just closed after January 28th.
Let's make the internet safer.
https://www.security-chu.com/2026/02/Princeton-experimental-laboratory-accident-breach.html
-
🇨🇱 The Urological Diagnostic Institute (IDU) exposed 23GB of patient information on an unsecured server.
🔴15,000 PDF files contained patient exams with their data: patient name, age, national identification number (RUT), referring physician, sex, order number, admission date, review date, sample collection date, agreement, program, observations, and, of course, the exam results (in this case, for example, urinalysis).
🟢This was reported to the institution on November 4th via email. On January 13, 2026, I verified that the server appeared to be closed. I do not know if the institution notified the ANCI (National Agency).
-
🇧🇩 Today I'm going to talk about Bondstein Technologies Limited, a company based in Dhaka, Bangladesh. One of their servers was found to be completely open and unprotected.
Bondstein Technologies Limited is a Dhaka-based technology company specializing in Internet of Things (IoT) solutions and frontier technologies. Founded in 2014, it has established itself as a leading player in Bangladesh for vehicle tracking, industrial automation, and smart connectivity.
What data was exposed?
On December 26, 2025, I discovered that the server was exposing a 22 GB SQL backup file. According to the file timestamps and metadata, this backup appears to have been publicly accessible since at least July 2025.Among the files in the backup was users.sql, which contained the following sensitive fields:
username, customer_name, First_name, Last_name, Phone_number, Additional_contact-number, email, password.
*I was able to confirm that some of the employee names were real.
Additional findings:
The exposed server's IP resolved to a properly certified HTTPS server using a subdomain under .bondstein.net. The same IP also hosted a login portal (which I did not attempt to access).With this information, we were able to accurately identify the owner and submit a responsible disclosure.
Notification:
All of this was detailed in the email I sent to several Bondstein employees on December 26, 2025. When I checked again on January 5, 2026, the exposure had been fully closed. I followed up via email to inquire about any possible reward. On January 6, they replied with the following message:
Hi Chum1ng0,
Thank you for your responsible and detailed disclosure regarding the open directory issue on our server. We sincerely appreciate you taking the time and effort to notify us of this vulnerability, which allowed us to address it quickly. Your commitment to ethical research is truly valued. We want to confirm that the issue has been fixed and access has been restricted. We would also like to clarify that the server you identified is a staging server kept for internal purposes, and not a production environment. Regarding your request for a reward, we currently do not have an official bug bounty program in place. However, we are grateful for your help in securing our infrastructure.
We appreciate your patience and look forward to potentially collaborating in the future should we establish a formal program.
Sincerely
Bondstein-NOT REWARD-
#VDP #responsibleDisclosure #misconfigurations #Bangladesh #cybersecurity #bondstein
-
🇧🇩 Today I'm going to talk about Bondstein Technologies Limited, a company based in Dhaka, Bangladesh. One of their servers was found to be completely open and unprotected.
Bondstein Technologies Limited is a Dhaka-based technology company specializing in Internet of Things (IoT) solutions and frontier technologies. Founded in 2014, it has established itself as a leading player in Bangladesh for vehicle tracking, industrial automation, and smart connectivity.
What data was exposed?
On December 26, 2025, I discovered that the server was exposing a 22 GB SQL backup file. According to the file timestamps and metadata, this backup appears to have been publicly accessible since at least July 2025.Among the files in the backup was users.sql, which contained the following sensitive fields:
username, customer_name, First_name, Last_name, Phone_number, Additional_contact-number, email, password.
*I was able to confirm that some of the employee names were real.
Additional findings:
The exposed server's IP resolved to a properly certified HTTPS server using a subdomain under .bondstein.net. The same IP also hosted a login portal (which I did not attempt to access).With this information, we were able to accurately identify the owner and submit a responsible disclosure.
Notification:
All of this was detailed in the email I sent to several Bondstein employees on December 26, 2025. When I checked again on January 5, 2026, the exposure had been fully closed. I followed up via email to inquire about any possible reward. On January 6, they replied with the following message:
Hi Chum1ng0,
Thank you for your responsible and detailed disclosure regarding the open directory issue on our server. We sincerely appreciate you taking the time and effort to notify us of this vulnerability, which allowed us to address it quickly. Your commitment to ethical research is truly valued. We want to confirm that the issue has been fixed and access has been restricted. We would also like to clarify that the server you identified is a staging server kept for internal purposes, and not a production environment. Regarding your request for a reward, we currently do not have an official bug bounty program in place. However, we are grateful for your help in securing our infrastructure.
We appreciate your patience and look forward to potentially collaborating in the future should we establish a formal program.
Sincerely
Bondstein-NOT REWARD-
#VDP #responsibleDisclosure #misconfigurations #Bangladesh #cybersecurity #bondstein
-
🇧🇩 Today I'm going to talk about Bondstein Technologies Limited, a company based in Dhaka, Bangladesh. One of their servers was found to be completely open and unprotected.
Bondstein Technologies Limited is a Dhaka-based technology company specializing in Internet of Things (IoT) solutions and frontier technologies. Founded in 2014, it has established itself as a leading player in Bangladesh for vehicle tracking, industrial automation, and smart connectivity.
What data was exposed?
On December 26, 2025, I discovered that the server was exposing a 22 GB SQL backup file. According to the file timestamps and metadata, this backup appears to have been publicly accessible since at least July 2025.Among the files in the backup was users.sql, which contained the following sensitive fields:
username, customer_name, First_name, Last_name, Phone_number, Additional_contact-number, email, password.
*I was able to confirm that some of the employee names were real.
Additional findings:
The exposed server's IP resolved to a properly certified HTTPS server using a subdomain under .bondstein.net. The same IP also hosted a login portal (which I did not attempt to access).With this information, we were able to accurately identify the owner and submit a responsible disclosure.
Notification:
All of this was detailed in the email I sent to several Bondstein employees on December 26, 2025. When I checked again on January 5, 2026, the exposure had been fully closed. I followed up via email to inquire about any possible reward. On January 6, they replied with the following message:
Hi Chum1ng0,
Thank you for your responsible and detailed disclosure regarding the open directory issue on our server. We sincerely appreciate you taking the time and effort to notify us of this vulnerability, which allowed us to address it quickly. Your commitment to ethical research is truly valued. We want to confirm that the issue has been fixed and access has been restricted. We would also like to clarify that the server you identified is a staging server kept for internal purposes, and not a production environment. Regarding your request for a reward, we currently do not have an official bug bounty program in place. However, we are grateful for your help in securing our infrastructure.
We appreciate your patience and look forward to potentially collaborating in the future should we establish a formal program.
Sincerely
Bondstein-NOT REWARD-
#VDP #responsibleDisclosure #misconfigurations #Bangladesh #cybersecurity #bondstein
-
🇧🇩 Today I'm going to talk about Bondstein Technologies Limited, a company based in Dhaka, Bangladesh. One of their servers was found to be completely open and unprotected.
Bondstein Technologies Limited is a Dhaka-based technology company specializing in Internet of Things (IoT) solutions and frontier technologies. Founded in 2014, it has established itself as a leading player in Bangladesh for vehicle tracking, industrial automation, and smart connectivity.
What data was exposed?
On December 26, 2025, I discovered that the server was exposing a 22 GB SQL backup file. According to the file timestamps and metadata, this backup appears to have been publicly accessible since at least July 2025.Among the files in the backup was users.sql, which contained the following sensitive fields:
username, customer_name, First_name, Last_name, Phone_number, Additional_contact-number, email, password.
*I was able to confirm that some of the employee names were real.
Additional findings:
The exposed server's IP resolved to a properly certified HTTPS server using a subdomain under .bondstein.net. The same IP also hosted a login portal (which I did not attempt to access).With this information, we were able to accurately identify the owner and submit a responsible disclosure.
Notification:
All of this was detailed in the email I sent to several Bondstein employees on December 26, 2025. When I checked again on January 5, 2026, the exposure had been fully closed. I followed up via email to inquire about any possible reward. On January 6, they replied with the following message:
Hi Chum1ng0,
Thank you for your responsible and detailed disclosure regarding the open directory issue on our server. We sincerely appreciate you taking the time and effort to notify us of this vulnerability, which allowed us to address it quickly. Your commitment to ethical research is truly valued. We want to confirm that the issue has been fixed and access has been restricted. We would also like to clarify that the server you identified is a staging server kept for internal purposes, and not a production environment. Regarding your request for a reward, we currently do not have an official bug bounty program in place. However, we are grateful for your help in securing our infrastructure.
We appreciate your patience and look forward to potentially collaborating in the future should we establish a formal program.
Sincerely
Bondstein-NOT REWARD-
#VDP #responsibleDisclosure #misconfigurations #Bangladesh #cybersecurity #bondstein
-
🇧🇩 Today I'm going to talk about Bondstein Technologies Limited, a company based in Dhaka, Bangladesh. One of their servers was found to be completely open and unprotected.
Bondstein Technologies Limited is a Dhaka-based technology company specializing in Internet of Things (IoT) solutions and frontier technologies. Founded in 2014, it has established itself as a leading player in Bangladesh for vehicle tracking, industrial automation, and smart connectivity.
What data was exposed?
On December 26, 2025, I discovered that the server was exposing a 22 GB SQL backup file. According to the file timestamps and metadata, this backup appears to have been publicly accessible since at least July 2025.Among the files in the backup was users.sql, which contained the following sensitive fields:
username, customer_name, First_name, Last_name, Phone_number, Additional_contact-number, email, password.
*I was able to confirm that some of the employee names were real.
Additional findings:
The exposed server's IP resolved to a properly certified HTTPS server using a subdomain under .bondstein.net. The same IP also hosted a login portal (which I did not attempt to access).With this information, we were able to accurately identify the owner and submit a responsible disclosure.
Notification:
All of this was detailed in the email I sent to several Bondstein employees on December 26, 2025. When I checked again on January 5, 2026, the exposure had been fully closed. I followed up via email to inquire about any possible reward. On January 6, they replied with the following message:
Hi Chum1ng0,
Thank you for your responsible and detailed disclosure regarding the open directory issue on our server. We sincerely appreciate you taking the time and effort to notify us of this vulnerability, which allowed us to address it quickly. Your commitment to ethical research is truly valued. We want to confirm that the issue has been fixed and access has been restricted. We would also like to clarify that the server you identified is a staging server kept for internal purposes, and not a production environment. Regarding your request for a reward, we currently do not have an official bug bounty program in place. However, we are grateful for your help in securing our infrastructure.
We appreciate your patience and look forward to potentially collaborating in the future should we establish a formal program.
Sincerely
Bondstein-NOT REWARD-
#VDP #responsibleDisclosure #misconfigurations #Bangladesh #cybersecurity #bondstein
-
Misconfigurations Are Not Vulnerabilities: The Costly Confusion Behind Security Risks – Source:thehackernews.com https://ciso2ciso.com/misconfigurations-are-not-vulnerabilities-the-costly-confusion-behind-security-risks-sourcethehackernews-com/ #rssfeedpostgeneratorecho #CyberSecurityNews #misconfigurations #TheHackerNews
-
How SSL Misconfigurations Impact Your Attack Surface – Source:thehackernews.com https://ciso2ciso.com/how-ssl-misconfigurations-impact-your-attack-surface-sourcethehackernews-com/ #rssfeedpostgeneratorecho #CyberSecurityNews #misconfigurations #TheHackerNews
-
A misconfigured Azure Blob was exposed by the environmental management company 🇨🇱 🇵🇪 🇵🇾 Disal/Ambipar🇧🇷 with more than 300,000 internal files, this was reported to the company shortly after its Blob was blocked, more details on my substack.
📌 link: https://newschu.substack.com/p/misconfigurations-capitulo-8-un-azure
#Chile #infosec #disal #ambipar #cl #peru #paraguay #brasil #misconfigurations #privacy
-
Update:
Hundreds of 3D images of dental patients exposed without protection in a Bucket of two Italian companies.
Today, the bucket was closed, the medical director sent an email in one line expressing the following:
"I have taken immediate action with both the service provider and our designated DPO. I am leaving my direct contact number for future communications."
📌 link:
https://www.suspectfile.com/italy-exposed-database-puts-dental-clinic-patients-data-at-risk/
#infosec #privacy #Italy #Milan #bucket #healthcare #misconfigurations #DPO
-
Hundreds of 3D images of dental patients exposed without protection in a Bucket of two Italian companies.
link:
https://www.suspectfile.com/italy-exposed-database-puts-dental-clinic-patients-data-at-risk/#infosec #Italy #Milan #privacy #cybersecurity #healthcare #bucket #misconfigurations
-
Cloud Extortion Campaign Uses Exposed AWS .Env Files to Target 110,000 Domains https://thecyberexpress.com/cloud-extortion-campaign-hacks-aws-env-files/ #TheCyberExpressNews #CybersecurityNews #cloudenvironments #leakedcredentials #Misconfigurations #TheCyberExpress #Vulnerabilities #FirewallDaily #AWSS3security #cloudsecurity #cybersecurity #AWSSecrets #AWS
-
Cloud Extortion Campaign Uses Exposed AWS .Env Files to Target 110,000 Domains https://thecyberexpress.com/cloud-extortion-campaign-hacks-aws-env-files/ #TheCyberExpressNews #CybersecurityNews #cloudenvironments #leakedcredentials #Misconfigurations #TheCyberExpress #Vulnerabilities #FirewallDaily #AWSS3security #cloudsecurity #cybersecurity #AWSSecrets #AWS
-
Cloud Extortion Campaign Uses Exposed AWS .Env Files to Target 110,000 Domains https://thecyberexpress.com/cloud-extortion-campaign-hacks-aws-env-files/ #TheCyberExpressNews #CybersecurityNews #cloudenvironments #leakedcredentials #Misconfigurations #TheCyberExpress #Vulnerabilities #FirewallDaily #AWSS3security #cloudsecurity #cybersecurity #AWSSecrets #AWS
-
Cloud Extortion Campaign Uses Exposed AWS .Env Files to Target 110,000 Domains https://thecyberexpress.com/cloud-extortion-campaign-hacks-aws-env-files/ #TheCyberExpressNews #CybersecurityNews #cloudenvironments #leakedcredentials #Misconfigurations #TheCyberExpress #Vulnerabilities #FirewallDaily #AWSS3security #cloudsecurity #cybersecurity #AWSSecrets #AWS
-
🔒Misconfigurations - Chapter 7:
A misconfigured database exposed 66,000 files from the digital healthcare solutions company IMED.
The company was contacted in early July via email, after which the MongoDB was no longer exposed.
🔗 Find the episode here:
https://newschu.substack.com/p/misconfigurations-capitulo-7-una
#infosec #misconfigurations #substack #cybersecurity #Chile #cl
Thank you for alerting me to the leak @JayeLTee
-
🚨#Chile🇨🇱: 34,000 users exposed due to a misconfiguration in MongoDB from TV wherever you want!
miplay[.]cl.The information that is exposed is email, username, passwords, devices, mac.
PS: An email was sent to miplay
-
80% of All Security Exposures Come from Active Directory Accounts https://thecyberexpress.com/active-directory-exposures-on-a-high/ #ActiveDirectoryExposures #credentialharvesting #TheCyberExpressNews #ExposureManagement #CybersecurityNews #CredentialAttacks #domaincredentials #Misconfigurations #SecurityExposures #Misconfiguration #Vulnerabilities #Activedirectory #TheCyberExpress #FirewallDaily #ADExposures #dumping #relay #AD
-
80% of All Security Exposures Come from Active Directory Accounts https://thecyberexpress.com/active-directory-exposures-on-a-high/ #ActiveDirectoryExposures #credentialharvesting #TheCyberExpressNews #ExposureManagement #CybersecurityNews #CredentialAttacks #domaincredentials #Misconfigurations #SecurityExposures #Misconfiguration #Vulnerabilities #Activedirectory #TheCyberExpress #FirewallDaily #ADExposures #dumping #relay #AD
-
80% of All Security Exposures Come from Active Directory Accounts https://thecyberexpress.com/active-directory-exposures-on-a-high/ #ActiveDirectoryExposures #credentialharvesting #TheCyberExpressNews #ExposureManagement #CybersecurityNews #CredentialAttacks #domaincredentials #Misconfigurations #SecurityExposures #Misconfiguration #Vulnerabilities #Activedirectory #TheCyberExpress #FirewallDaily #ADExposures #dumping #relay #AD
-
80% of All Security Exposures Come from Active Directory Accounts https://thecyberexpress.com/active-directory-exposures-on-a-high/ #ActiveDirectoryExposures #credentialharvesting #TheCyberExpressNews #ExposureManagement #CybersecurityNews #CredentialAttacks #domaincredentials #Misconfigurations #SecurityExposures #Misconfiguration #Vulnerabilities #Activedirectory #TheCyberExpress #FirewallDaily #ADExposures #dumping #relay #AD
-
🔒 ¡No te pierdas este capítulo! Descubre cómo una mala configuración en el AWS S3 Bucket afectó al Centro Médico Excel, exponiendo una gran cantidad de archivos.
🔗 Encuentra el capítulo aquí: https://newschu.substack.com/p/misconfigurations-capitulo-3-el-centro