NY State IT Office Code Repository Exposed Online

New York State Government Code Repository Exposed Online

A code repository utilized by the IT department of New York state was inadvertently made accessible on the internet. This allowed unrestricted access to the projects contained within, some of which held sensitive secret keys and passwords linked to state government systems.

Discovery of the Vulnerability

The exposed GitLab server was initially identified on Saturday by SpiderSilk, a cybersecurity firm based in Dubai. SpiderSilk has a proven track record, having previously uncovered data breaches at companies like Samsung, Clearview AI, and MoviePass.

GitLab and Secure Code Management

GitLab is a platform commonly employed by organizations to facilitate collaborative software development and secure storage of their source code. It also manages the crucial secret keys, tokens, and passwords necessary for project functionality. However, in this instance, the server was publicly accessible.

According to Mossab Hussein, SpiderSilk’s chief security officer, anyone external to the organization could readily create an account and gain access without impediment.

Timeline of Exposure

TechCrunch confirmed the GitLab server’s login page was actively accepting new user registrations upon investigation. While the exact duration of the exposure remains unclear, data from Shodan, a search engine for internet-connected devices, indicates the GitLab server was first detected online on March 18th.

Sensitive Information at Risk

SpiderSilk provided screenshots demonstrating the presence of secret keys and passwords associated with servers and databases belonging to New York State’s Office of Information Technology Services. Concerned about potential malicious access or tampering, the company sought assistance in reporting the security flaw to the state authorities.

Response from the Governor’s Office

TechCrunch promptly notified the New York governor’s office regarding the exposure. Despite several emails detailing the compromised GitLab server being opened, no response was received. The server was ultimately taken offline on Monday afternoon.

Official Statement and Concerns

Scot Reif, a spokesperson for New York State’s Office of Information Technology Services, stated the server was merely “a test box” established by a vendor, containing no actual data, and has since been decommissioned.

Reif’s statement was delivered “on background,” requiring pre-agreed terms for attribution, but was published as those terms were not offered. He declined to identify the vendor involved or confirm whether passwords on the server had been altered.

“Production” Projects and Lack of Transparency

Several projects hosted on the server were labeled “prod,” a common abbreviation for “production,” indicating they were actively used systems. Reif also refrained from commenting on whether the incident had been reported to the state’s Attorney General’s office.

A spokesperson for the Attorney General did not provide a comment at the time of publication.

Vendor Identification: Indotronix-Avani

TechCrunch has identified the vendor as Indotronix-Avani, a New York-based company with additional offices in India, and is owned by Nigama Ventures. Screenshots reveal modifications to some GitLab projects were made by a project manager at Indotronix-Avani.

The vendor’s website prominently features New York State as a client, alongside other government entities like the U.S. State Department and the U.S. Department of Defense.