A municipal client came to me with a concern: They contracted a third-party to build a portal for accessing live camera feeds across educational and municipal facilities, and something felt off about the implementation. The client’s leadership asked me to take a look.
Scope
The client specifically asked that I perform the following:
External reconnaissance of the portal
Analysis of any publicly accessible content
Information gathering and documentation
The client specifically asked that I avoid:
Password brute-forcing or credential attacks
Direct intrusion attempts
Exploitation of vulnerabilities
Attempting to log into password-protected systems
Reconnaissance
After visiting the portal I noted that the homepage functioned as the login page and prompted for a password, but did not require a username. The first thing I did was open Chrome DevTools and look at the page source. I determined that the site was built with WordPress; this isn’t unusual, but I noted that the /wp-admin page was at its default location.
Next, I continued to view the page source and noticed a couple of things:
Direct links to RSS feeds, invisible to an end user but still in the source.
A public IP address linked in the page’s footer under the name of the client.
The password field had an attribute of
length = 20.
So I knew that no username is required to access the protected pages, and any password must be at least 20 characters.
Clicking the page’s footer and visiting the IP address led to a Chrome-based username and password prompt that almost certainly barred entry to a camera (more on this later). I tried to visit the RSS feeds hidden in the page source at /feed/ and /comments/feed. Doing so exposed more direct links to various pages across the site, all posted by the default WordPress ‘admin’ account.
Many websites also have a search index built in, so I typed a random set of characters into the address bar after the address which brought me to a search page that also showed a sitemap. Although the routes displayed as “There is no excerpt because this is a protected post,” I inspected the page source again and found direct links to multiple pages on the website which should have been protected via authentication, but were not.
Direct Links
Now, I had confirmation of direct links to different posts on the client portal from two different sources: The exposed RSS feeds, and the unprotected links in the search page source. I confirmed that I was able to visit each of these unprotected direct links without being prompted for authentication, which led to private blueprints of different educational and municipal facilities. The blueprints also contained diagrams of camera FOV (Field of View) and direct links to each camera across each facility. Clicking on any camera link brought me directly to the public IP of the camera, with a Chrome-based username and password prompt much like the one in the footer of the homepage from earlier discovery. Given that these cameras were exposed on public IPs with no VPN requirement, there was a strong likelihood they were still running default credentials, meaning the entire surveillance system was potentially one guess away from compromise.
Remediation
The client’s portal was completely unprotected, only preventing unauthorized access from someone not looking for access. If I were a threat actor, the things I learned would have been elementary. I decided that the client’s portal existing was a public safety risk, and provided a remediation plan recommending that they immediately disable the portal and work with affected organizations to secure their camera feeds. I recommended that they implement proper username/password credentials and session management with MFA, and encouraged the client to consider erecting VPN architecture to securely access cameras.
Conclusion
I did not have to use any specialized tools to gain the information I did, using only F12 to access browser DevTools which could be done in any desktop browser. This was especially worrying given the portal’s purpose and scope, and it reinforced my own knowledge that sometimes the simplest approach exposes the most vulnerabilities.