DE

SMEX BLOGPOST.
SMEX BLOGPOST VOL. IV

By FNF Lebanon and SMEX
SMEX BLOGPOST VOL. IV

SMEX BLOGPOST VOL. IV

On January 27, the Lebanese General Security launched a new platform (gs-appt.gov.lb) for booking passport renewal appointments to solve the problem of overcrowding in application centres. After a quick inspection, SMEX discovered that the platform is lacking data security and privacy measures, as well as transparency, and that it’s powered by Hani Saliba Foundation, an NGO belonging to a candidate running for elections.

The platform’s developer responded to our thread in a post on Reddit explaining that the General Security’s platform is safe, confirming that it has the SSL certificate. The platform currently runs an SSL certificate, but it was missing on Thursday when we wrote our initial thread. 

As promised, we are publishing the detailed technical analysis of the (gs-appt.gov.lb) platform. 

Our tech team detected a configuration leak on the IP on which we suspect the gs-appt.gov.lb is running now. This configuration leak was found on a development environment on which the developers of the application test out the app before making it public and accessible and fully functional. It’s a bad practice to put development environments publicly as it might represent a security risk. The configuration leak contains Database configurations such as database name, username and password and some sensitive information. It’s important to note the danger of deploying development code on publicly available servers, as important information concerning the platform might be revealed.

We are publishing the technical details for General Security or any other public or private entity to embed privacy, data protection, and security by design. 

We also urge all ministries, departments, official institutions, and private companies to ensure that privacy, data security, and transparency are at the forefront of any platform or website, public or private, that collects and processes personal data, particularly on a large scale, and that all of this is spelled out in the Privacy and Terms of use policy.

Catch full article here!