Exceptional: A bug in the assistance dashboard of Palo Alto Networks (PAN) uncovered thousands of purchaser assistance tickets to an unauthorized particular person, BleepingComputer has learned.
The uncovered information and facts included, names and (business enterprise) get hold of information of the person developing assistance tickets, discussions amongst Palo Alto Networks workers members and the purchaser.
Evidence shared with BleepingComputer indicates some assist tickets contained attachments—like firewall logs, configuration dumps, and other debugging assets shared with the PAN staff by customers.
Palo Alto Networks, a foremost service provider of cybersecurity and networking merchandise and firewalls, tells BleepingComputer it has now fastened the issue—about eight times following it was reported.
How may I help you currently?
A misconfiguration in the help procedure of Palo Alto Networks permitted sensitive data disclosure —letting a customer access personal assistance tickets from other companies.
A PAN customer who prefers to stay anonymous uncovered the issue this thirty day period and noted it to Palo Alto Networks personnel, who have now fixed the situation.
The customer additional advised BleepingComputer that they could see approximately 1,989 assistance scenarios that did not belong to them or their group, and shared screenshots attesting to the actuality:
Some of these help conditions had file attachments this kind of as firewall logs, configuration dumps, network protection team (NSG) layouts, images of error messages, and similar internal files shared by consumers with Palo Alto Networks for troubleshooting reasons.
The screenshot exhibits a “down load” icon following to each file. Observe, the client tipping us off did not share any of the documents with BleepingComputer and claims not downloading the documents either.
Some other details exposed in the assistance tickets included:
- Speak to title, title, electronic mail address and phone range of the customer creating the tickets
- Contents of conversations in between PAN guidance team and prospects
- PAN Item serial range and model
- Case numbers, subject line, and ask for severity (Critical, Superior, Medium, Lower)
“The initial problems commenced when I registered for a Palo Alto support account on the 10th of March,” the unnamed customer tells BleepingComputer.
“Right after logging in, my browser would get trapped in a redirect loop when hoping to entry Palo Alto knowledgebase, but a lot more importantly, it was returning 403 insufficient permissions when trying to login to Palo Alto Hub, from wherever Cloud Identification Motor could be installed.”
The client lifted this challenge with PAN support and was instructed their entry to the Palo Alto Hub was “set.”
“Nonetheless, to my shock, when I logged in to the guidance portal, I was capable to see not only the assist circumstances I raised, but also ~1990 help situations below ‘My Firm’s Cases’ tab,” even more explains the user.
Palo Alto Networks: ‘no knowledge was downloaded or altered’
On recognizing the accessibility blunder, the shopper tells BleepingComputer that they promptly notified Palo Alto Networks, both by elevating a “critical assistance ask for” and making contact with decide on PAN associates on LinkedIn.
BleepingComputer reached out to PAN to greater realize the scope and effect of this info leak.
PAN says that no information was downloaded and indicates that the scope of the leak remained restricted to just one customer:
“We were being notified of an issue that allowed an authorized customer to view a compact subset of help cases, which they typically would not be in a position to see,” a Palo Alto Networks spokesperson advised BleepingComputer.
“We immediately initiated an investigation and identified it was due to a permission misconfiguration mistake in a help process.”
“Our analysis confirmed no information was downloaded or altered, and the concern was right away remediated.”
Notice, even so, the bug correct took around eight times, soon after which the aforementioned customer’s access to the 1,900 unrelated tickets was revoked.
PAN did not solution if it notified customers whose details was impacted by the data leak bug, or if it was organizing on accomplishing so.
At this time, the enterprise claims, there is no customer action demanded and that it is self-assured that its solutions and solutions are secure.