In a major data security lapse, Football Australia, the governing body for football in the country, has inadvertently leaked secret keys, potentially compromising access to a vast trove of sensitive information. The exposed data includes personal details of players, ticket buyer information, and critical documents such as players’ contracts.
The Cybernews research team uncovered the breach, revealing that plain-text Amazon Web Services (AWS) keys, including Secret keys, were hardcoded into the HTML page of Football Australia’s subdomain. These keys, essential for communicating with the cloud platform, were left openly accessible, scoring what could be described as an “own goal” in terms of data security.
The plain-text keys granted access to a staggering 127 digital storage containers. Shockingly, one of these publicly accessible buckets contained personal information, contracts, and documents of football players, and remarkably, it did not even require authentication.
Digital Containers are packages of software that contain all of the necessary elements to run in any environment. Containers virtualize the operating system and run anywhere, from a private data center to the public cloud or even on a developer’s personal laptop. From Gmail to YouTube to Search, everything at Google runs in containers. Containerization allows development teams to move fast, deploy software efficiently, and operate at an unprecedented scale.
Upon notification by the research team, Football Australia promptly addressed the issue and issued a statement acknowledging the incident. The organization pledged to keep stakeholders informed as they work to establish more details surrounding the breach, Cybernews said in its report.
The exposed data encompasses:
Personal identifiable information of players
Ticket purchase details
Internal infrastructure specifics
Source code and scripts of the digital infrastructure
The exact number of affected individuals is challenging to ascertain without violating responsible disclosure policies, but the research team estimates that every customer or fan of Australian football may have been impacted.
While the team believes human error, possibly an oversight by a developer, is the likely cause of the leak, the incident underscores a critical data exposure. Although the team could not quantify the total data exposed, it was determined that the leaked secret could potentially unlock 126 buckets of data.
Furthermore, a particularly alarming discovery was the existence of an unprotected bucket, publicly accessible without any keys. This container contained sensitive information, including football players’ passports and contracts.
The research team emphasized the severe threats posed by the exposed data, such as identity theft, fraud, or blackmail, necessitating urgent improvements in security practices to safeguard sensitive information. Football Australia, responsible for overseeing various national teams and governing bodies, now faces scrutiny as it investigates the matter as a priority.
