Deloitte’s ‘Test your Hacker IQ’ site fails itself after exposing database user name, password in config file

From theregister.com

A website created for global consultancy Deloitte to quiz people on knowledge of hacking tactics has proven itself vulnerable to hacking.

The site, found at the insecure non-HTTPS URL http://deloittehackeriq.com/, makes its YAML configuration file publicly accessible. And within the file, in cleartext, is the username and password for the site’s mySQL database.

The site invites visitors to “Test Your Hacker IQ” by entering a username. It then poses a series of multiple choice questions about techniques employed by hackers to obtain corporate information. The quiz doesn’t cover the possibility of publicly exposed passwords.

Read more…