EXCLUSIVE: A bug in the support control panel of Palo Alto Networks(PAN)exposed countless consumer support tickets to an unapproved individual, BleepingComputer has actually discovered. The exposed details included, names and (company) contact details of the person creating support tickets, discussions in between Palo Alto Networks team member and the consumer.
Proof shared with BleepingComputer suggests some support tickets included attachments– like firewall software logs, setup disposes, and other debugging properties shared with the PAN staff by customers.
Palo Alto Networks, a leading service provider of cybersecurity and networking items and firewalls, tells BleepingComputer they have now fixed the problem– about 8 days after it was reported.
How may I assist you today?
A misconfiguration in the support group of Palo Alto Networks permitted sensitive info disclosure– letting a consumer access private support tickets from other business.
A PAN client who prefers to remain anonymous found the issue this month and reported it to Palo Alto Networks personnel, who have actually now dealt with the problem.
The client even more told BleepingComputer that they could see roughly 1,989 support cases that did not belong to them or their company, and shared screenshots vouching for the truth:
Palo Alto Networks Assistance Dashboards exposing support tickets (BleepingComputer )Some of these support cases had file accessories such as firewall program logs, setup dumps, network security group (NSG)designs, images of error messages, and comparable internal files shared by consumers with Palo Alto Networks for troubleshooting purposes.
The screenshot shows a “download” icon beside every file. Keep in mind, the consumer tipping us off did not share any of the files with BleepingComputer and declares not downloading the files either.
One example of file accessories that might be downloaded(BleepingComputer)Some other details exposed in the assistance tickets consisted of:
- Contact name, title, email address and telephone number of the consumer producing the tickets
- Contents of discussions in between PAN assistance staff and consumers
- PAN Item serial number and design
- Case numbers, subject line, and demand severity (Critical, High, Medium, Low)
“The first problems began when I signed up for a Palo Alto support account on the 10th of March,” the unnamed consumer informs BleepingComputer.
“After visiting, my web browser would get stuck in a redirect loop when trying to access Palo Alto knowledgebase, but more significantly, it was returning 403 inadequate consents when attempting to login to Palo Alto Center, from where Cloud Identity Engine could be installed.”
The customer raised this concern with PAN assistance and was told their access to the Palo Alto Center was “fixed.”
“However, to my surprise, when I logged in to the assistance website, I had the ability to see not only the support cases I raised, however also ~ 1990 assistance cases under ‘My Company’s Cases’ tab,” further explains the user.
Palo Alto Networks: ‘no information was downloaded or changed’
On understanding the access oversight, the consumer tells BleepingComputer that they without delay notified Palo Alto Networks, both by raising a “crucial support demand” and getting in touch with select PAN members on LinkedIn.
BleepingComputer connected to PAN to better understand the scope and impact of this data leak.
PAN says that no data was downloaded and implies that the scope of the leak remained limited to just one customer:
“We were notified of a concern that allowed an authorized consumer to view a little subset of support cases, which they typically would not have the ability to view,” a Palo Alto Networks spokesperson told BleepingComputer.
“We instantly started an examination and determined it was due to a consent misconfiguration error in a support group.”
“Our analysis validated no data was downloaded or altered, and the issue was instantly remediated.”
Keep in mind, however, the bug fix took approximately 8 days, after which the aforementioned consumer’s access to the 1,900 unassociated tickets was withdrawed.
PAN did not address if it informed consumers whose information was affected by the information leak bug, or if they were planning on doing so.
At this time, Palo Alto Networks says, there is no consumer action required and that it is confident that its products and services are safe and secure.