loader gif

Debug Mode in Laravel PHP Framework Exposes Over 750 Websites

phish,email,hook,fish,data,computer,spoof,cyber,lock,bait,security,fraud,theft,unsecured,access,attack,breach,business,cloud,computing,crime,deception,decryption,digital,encrypted,encryption,engineering,hack,hacker,http,information,internet,keyboard,leak,loss,malware,online,phishing,privacy,risk,social,steal,system,technology,threat,unathorized,unlock,username,vulnerability,vulnerable
  • This incident has exposed over 768 websites, of which, 10 to 20 percent of them contain sensitive configurations.
  • Researchers noted that most of the exposed websites belong to charities and small businesses.

What is the issue?

Comparitech along with security researchers Bob Diachenko and Sebastien Kaul have uncovered almost 768 websites that were exposed via Laravel’s debug mode.

What is the root cause?

Laravel is a popular open-source PHP framework that is used to develop web applications.

  • This framework includes a debug mode that allows developers to identify errors and misconfigurations on the sites’ network before websites go live.
  • However, many developers fail to disable the debug mode even after going live, thereby exposing backend website details such as database locations, credentials, secret keys, and other sensitive information.

What is the impact?

Researchers said that this exposure could allow attackers to potentially hack email servers, explore source code structure, find weak points, re-use passwords on other systems, and many more.

  • This human error has exposed over 768 websites, of which, 10 to 20 percent of them contain sensitive configurations.
  • Researchers noted that most of the exposed websites belong to charities and small businesses.
  • This has also impacted several websites that are used for the 2020 US presidential election campaign.

Worth noting

Researchers who found the exposed websites have started notifying the website owners about the exposures from October 11, 2019, onwards.

“The debug interface can be accessed from a web browser. It often contains plain-text sensitive details and API credentials like shared secrets, passwords, and database locations—information that hackers can use to steal data or develop further attacks on the system,” researchers said.

loader gif