In free time, I stumbled accidentally to Github repo of current minister for cybersecurity and computer science (and 2 other things that I don't remember).
here: github - Srdjan Rajcevic
After 3 min review - I found "delete" credentials from SQLite DB. My first thinking was that cred is used for private profile - so I report to local CERT RS on this. The response the same day as case closed.
But it was not. Keys did not delete or revoked. After 24h I checked
After reviewing what keys are used - I found it that was meant to be part of ex-CERT twitter bot for news. But it was never finished. Here is ex blog of the minister blog webarchive
I make simple bot code in less than 30 sec (just google it for API and documentation)
Run with proper keys. Boom!
twitter bot has a half picture of minister
Also, I send DM to all followers to revoke bot keys.
But up today - keys are not revoked.
Also, all info is removed I guess it was hard to receive this kind of info especially if you are marked as someone who can protect the complete infrastructure of one government.
And before this, I got blocked from the account minister for "cybersecurity" and 3 things I don't remember. My question on some topic hit him hard.
To sum all this: The bot was there for 3 years and no one from ex and current CERT was able to catch "leaked credentials" which wonder me - what would happen if we start to review the complete infrastructure of government? Yes, I don't have a penetration-tester agreement so this was closed to "hack a profile" of the minister. It was fun - not a hacking just joke with ppl. Take me no more than 5 min (3 to find + 1 read a review of bot + 1 for the PoC)
Do not leave cred in the open text - always encrypt. Use some strong encryption to protect your secret. Then do not share your secret in any way. Review your code.
Also, this reminds me like the 1999-2001 period when beginners code in C for IRC bots and they leave format string bug on some command and you print complete memory and get password/user for master user. That was a good time.
EPILOG: several people thank me on this because they did same mistake.
