One bad search on the government website for South Carolina's capital city could've exposed an entire database.
The city of Columbia site had a security flaw in its search tool, according to independent security researcher Arif Khan. The flaw let anyone view passwords for the website's database and email protocol servers, creating a massive potential for abuse, Khan said on Thursday.
The vulnerability made it possible for someone to "pull sensitive data out of the Columbia city government's database," Khan said. With access to the email protocol servers, an attacker could've also created spoof emails that looked like they'd come from the city government.
The flaw involved a misconfiguration of the site's search function. If you searched for a term that couldn't be found in the site's database, the site would inadvertently serve up an error page meant only for administrators. I was able to reproduce the security flaw through the site's search function multiple times, including by searching on my own name and phrases like "Bazinga."
The vulnerability was fixed after CNET reached out to city officials about the issue. The Columbia city government didn't respond to a request for comment, but a representative confirmed that it did receive the inquiry.
Khan said he contacted city officials in September but never heard back from them. He reached out again in October, he said, and another security researcher also publicly contacted the city government in November on Twitter.
Cybercriminals often target city governments because they serve an important function and have access to sensitive information. Last November, the Justice Department brought charges against two Iranian hackers who caused more than $30 million in damages through ransomware attacks on cities like Newark, New Jersey, Atlanta and San Diego.
At the end of March, New York's capital announced it was also hit with a hack. It's not clear if any malicious actors found the vulnerability on the Columbia government's website, but the exposure had the potential to cause a lot of harm.
Khan said that though the credentials were exposed, he didn't try to access to government's database because of ethical concerns.