As we all know, the Kenya police website was hacked multiple times recently. Today, we report on how, exactly, the hacker got in.
Of course it is not really “hacking” (here’s why) – it is more of “defacement”. Regardless, Idd Salim has a post up that analyses this “hacking” in detail. According to Salim, this is what happened:
The “hacker”, looking for a way into the site (or maybe just curious) did the simplest of things and got the admin password to the Kenya police website just sitting there, exposed for everyone to abuse.
The “hacker” probably just entered this query into Google search: “filetype:txt kenyapolice.go.ke”
This query checks whether there is any text document on the Kenya Police website that can be accessed by the public. Unbelievably, the password to the whole police website was stored in an insecure text document and all the “hacker” had to do was read it, and log in.
Exhibit C (click for larger)
Easy peasy. The password was just sitting there waiting to be discovered.
It is such a shame that the primary security organ in this country clearly does not know, does not care, or both when it comes to cyber security.
[…] Bad The Kenya Police – this is the site of the Kenya Police. Besides being hacked numerous times a while back, it is not available right now. Makes you wonder, doesn’t […]