troyhunt

Untitled

Dec 2nd, 2016
2,498
Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
  1. The site concerned is this one: [redacted]
  2.  
  3. They presently have over 43k files containing pathology results exposed in a folder with directory listing enabled so you can easily see and download any of them
  4.  
  5. It's a combination of PDF and .rar files which appear to contain results ranging from general blood tests to tests for foetal signs of down syndrome to HIV tests
  6.  
  7. They're also all indexed by Google so simply shutting down the site won’t remove the full exposure, Google will need to be scrubbed too
  8.  
  9. I’ve not downloaded any files from the server in order to not contaminate any logs which may later be subject to forensic examination, but the files are all viewable in Google cache anyway
  10.  
  11. Over the last 2 days, I've tried emailing multiple addresses (all bounced) and using the contact form (no reply)
  12.  
  13. I’ve been in touch with a local journalist who was able to contact them and get the following comments:
  14.  
  15. "We are moving to a new domain in January and retiring the existing website, so these problems will be fixed in Jan, but till then, we are not planning to do anything about this"
  16.  
  17. The server they have the Indian patient data on is also located in the USA – it’s not within Indian jurisdiction: https://db-ip.com/[redacted]
  18.  
  19. This is clearly unacceptable and leaves patients exposed without their knowledge
RAW Paste Data