This report was fully disclosed on 19 August 2020
Summary
An IP address appearing to be managed by “Volly” formally SoftVu/LoyaltyExpress and running “Apache Airflow” is accessible to remote unauthenticated users causing sensitive information disclosure and potentially allowing for denial of service and service interruption.
Volly is described as “the mortgage and banking industries’ most innovative component-based platform that seamlessly integrates marketing and customer engagement strategies with robust lending technologies.”
Proof of Concept
The IP address in question is 18.216.123.147:8080
. Simply opening the affected target in a web browser reveals sensitive information such as the slack token shown at /admin/variable/
. Additionally no authentication is required to make modifications within Apache Airflow.
Viewing the affected target reveals several pieces of sensitive data, including but not limited to the following slack token xoxb-116199269811-LPKzljDYdXJIpD175PdQmFOO
.
Using the auth.test
slack api function we can determine the token is for softvu.slack.com
as shown at https://slack.com/api/auth.test?token=xoxb-116199269811-LPKzljDYdXJIpD175PdQmFOO&pretty=1
.
Visiting softvu.slack.com
reveals to two domains, @softvu.com
and @loyaltyexpress.com
, both of which now redirect to myvolly.com
.
Additionally using the users.list
slack api function reveals 119 email addresses all ending with either @myvolly.com
, @softvu.com
, or @loyaltyexpress.com
.
With the above information extracted from the exposed slack token we can confidently asses that the asset likely belongs to Volly. While additional authentication tokens were exposed on several different pages, include DAG code, only the slack token’s validity was verified.
It is also important to note that in addition to sensitive information disclosure it is also possible to make modifications and perform actions as an administrative user on the Apache Airflow instance. This could lead to remote code execution, denial of service, or additional sensitive information exposure.
![]() |
![]() |
Recommended Actions
- Implement proper access controls.
- Revoke exposed credentials and tokens.
- Review access logs for all exposed services and credentials to ensure no unauthorized access has been detected.
Remediation Status
According to uptime robot the slack token was revoked as of 2020-08-19 21:50:05
. Additionally the exposed airflow interface was taken down as of 2020-05-16 20:47:49
.
Response From Affected Party
No Response has been received
Timeline
- 7 February 2020: Affected Party Notified
- 19 August 2020: Affected Party Released Patch (+194 days)
- 19 August 2020: Report Published (+194 days)