A prankster exploited a software flaw in an FBI portal to send emails purporting to be from the agency, the FBI admitted November 14, acknowledging that “illegitimate email originated from an FBI operated server.”
As first reported by Brian Krebs, late on November 12, “tens of thousands of emails began flooding out from the FBI address firstname.lastname@example.org, warning about fake cyberattacks”, after a hacker calling themselves “Pompompurin” breached a component of the online FBI portal -- which is shared with numerous other intelligence agencies as well as the Department of Justice (DOJ).
The incident stemmed from a flaw in the Law Enforcement Enterprise Portal (LEEP), which the FBI describes as “a secure platform for law enforcement agencies, intelligence groups, and criminal justice entities [that] provides web-based investigative tools and analytical resources [to let] users collaborate in a secure environment, use tools to strengthen their cases, and share departmental documents.”
The actual IT infrastructure of the LEEP itself does not appear to have been breached. Rather, the hacker exploited a flaw in how the portal generates and confirms new accounts for users.
The FBI said: “The FBI is aware of a software misconfiguration that temporarily allowed an actor to leverage the Law Enforcement Enterprise Portal (LEEP) to send fake emails. LEEP is FBI IT infrastructure used to communicate with our state and local law enforcement partners. While the illegitimate email originated from an FBI operated server, that server was dedicated to pushing notifications for LEEP and was not part of the FBI’s corporate email service. No actor was able to access or compromise any data or PII on the FBI’s network.”
The agency added: “Once we learned of the incident, we quickly remediated the software vulnerability, warned partners to disregard the fake emails, and confirmed the integrity of our networks.”
The Department of Justice (DOJ) makes a handy step-by-step guide to registering a new account on the LEEP portal publicly available. New users get sent a one-time passcode but the FBI’s own website also leaked that one-time passcode in the HTML code of the web page – after urging users to visit the page using the legacy browser Microsoft Internet Explorer, which has been retired by Microsoft for security and other reasons.
“Pompompurin said they were able to send themselves an email from email@example.com by editing the request sent to their browser and changing the text in the message’s ‘Subject’ field and ‘Text Content’ fields,” Krebs noted, quoting the person responsible as having told them that “asically, when you requested the confirmation code [it] was generated client-side, then sent to you via a POST Request. This post request includes the parameters for the email subject and body content.” (They then replaced those parameters with their own message subject and body, and automated the sending of their own message.)
Luckily for the FBI the hacker chose to use this vulnerability to smear Vinny Troia, the founder of the dark web intelligence companies NightLion and Shadowbyte as part of what Bleeping Computer reports is a long-standing feud – later also attacking Troia in a new blog post shared on Twitter. Another attacker might have used it to craft convincing spearphishing attacks launched from a credible FBI email address.