This report was fully disclosed on 19 August 2020
An IP address appearing to be managed by “Volly” formally SoftVu/LoyaltyExpress and running “Apache Airflow” is accessible to remote unauthenticated users causing sensitive information disclosure and potentially allowing for denial of service and service interruption.
Volly is described as “the mortgage and banking industries’ most innovative component-based platform that seamlessly integrates marketing and customer engagement strategies with robust lending technologies.”
Proof of Concept
The IP address in question is
18.104.22.168:8080. Simply opening the affected target in a web browser reveals sensitive information such as the slack token shown at
/admin/variable/. Additionally no authentication is required to make modifications within Apache Airflow.
Viewing the affected target reveals several pieces of sensitive data, including but not limited to the following slack token
auth.test slack api function we can determine the token is for
softvu.slack.com as shown at
softvu.slack.com reveals to two domains,
@loyaltyexpress.com, both of which now redirect to
Additionally using the
users.list slack api function reveals 119 email addresses all ending with either
With the above information extracted from the exposed slack token we can confidently asses that the asset likely belongs to Volly. While additional authentication tokens were exposed on several different pages, include DAG code, only the slack token’s validity was verified.
It is also important to note that in addition to sensitive information disclosure it is also possible to make modifications and perform actions as an administrative user on the Apache Airflow instance. This could lead to remote code execution, denial of service, or additional sensitive information exposure.
- Implement proper access controls.
- Revoke exposed credentials and tokens.
- Review access logs for all exposed services and credentials to ensure no unauthorized access has been detected.
According to uptime robot the slack token was revoked as of
2020-08-19 21:50:05. Additionally the exposed airflow interface was taken down as of
Response From Affected Party
No Response has been received
- 7 February 2020: Affected Party Notified
- 19 August 2020: Affected Party Released Patch (+194 days)
- 19 August 2020: Report Published (+194 days)