Bad form: FBI server sending fake emails taken offline and fixed, no data impacted
The FBI has placed the blame for a weekend fake email incident on a misconfiguration in its Law Enforcement Enterprise Portal (LEEP) that allowed emails to be sent from the ic.fbi.gov domain.
“LEEP is FBI IT infrastructure used to communicate with our state and local law enforcement partners,” it said.
“While the illegitimate email originated from an FBI operated server, that server was dedicated to pushing notifications for LEEP and was not part of the FBI’s corporate email service. No actor was able to access or compromise any data or PII on the FBI’s network.”
The FBI said it initially took the “impacted hardware” quickly offline, and later said it quickly remediated the “software vulnerability” as well as confirmed its network integrity.
Spamhaus said it saw two waves of email being sent.
Brain Krebs reported the sender of the emails found they were able to send emails because the FBI was generating a client-side one-time code to sign up to a new account on LEEP, and it was sent along with an email subject and body as a POST request to the FBI’s servers. Manipulating the request parameters enabled the emails to be sent, and a script was used to automate the sending process.
It would seem all the so-called misconfigurations and software vulnerabilities were in the way the FBI had its portal built, with the cherry on top being how it exposed and piped user input to a mail server. Pretty embarrassing and worthy of a dozen facepalms, at least.