As we all know, the Kenya police website was hacked multiple times recently. Today, we report on how, exactly, the hacker got in.
Of course it is not really “hacking” (here’s why) – it is more of “defacement”. Regardless, Idd Salim has a post up that analyses this “hacking” in detail. According to Salim, this is what happened:
The “hacker”, looking for a way into the site (or maybe just curious) did the simplest of things and got the admin password to the Kenya police website just sitting there, exposed for everyone to abuse.
The “hacker” probably just entered this query into Google search: “filetype:txt kenyapolice.go.ke”
This query checks whether there is any text document on the Kenya Police website that can be accessed by the public. Unbelievably, the password to the whole police website was stored in an insecure text document and all the “hacker” had to do was read it, and log in.
Easy peasy. The password was just sitting there waiting to be discovered.
It is such a shame that the primary security organ in this country clearly does not know, does not care, or both when it comes to cyber security.