Lesson learned from gaining access to Al Ain University[United Arab Emirates] server.

Consistency with dedication shouldn’t be joke with in your daily affairs.

Be sincere and take realistic steps before learning anything.

If you are not ready to play a game, I advise you not to move near the pitch.

On Dec 14, 2018, a partner showed me a new episode of life,
, I wasted no time but decided to divert my attention to my PC and that led me into gaining full access to Al Ain University[United Arab Emirates] (https://aau.ac.ae/) codebase, DBS, git logs…

1. Misconfigured Git(https://aau.ac.ae/.git/) directory which is exposed publically, this is the structure of the directory

2.Every file can be downloaded recursively via ‘wget –r ‘ which can cause serious damages

1. Misconfigured Git(https://aau.ac.ae/.git/) directory which is exposed publically, this is the structure of the directory

2.Every file can be downloaded recursively via ‘wget –r ‘ which can cause serious damages

How did it happen?

Shortly after I received (https://aau.ac.ae/) newsletter email,
I decided to explore the University directory security permission and I found out the University was
joking with their whole software systems(interNET).

The loophole

1. Misconfigured Git directory which is exposed publically.

The resources I have access to after my experiment

1.An entire codebase that runs on their (https://aau.ac.ae/) server
2.Their database security credentials
3.Full git logs
4.Entire production database(even with IP restriction)
5.Entire system assets

Proof/Justification: https://docs.google.com/document/d/1clyZDXj1id54Ygy13S2Ia_8W3bAStMVEpACkwz0oHtE/edit?usp=sharing

What does that mean?

1. I can do and undo anything I feel like(from acting as a lecturer to modifying or creating records)

What I did after conducting successful numerous testing

1. I reached out to the University management and they fix the high-priority failure within 1 hour.

Compensation

1.No monetary compensation, but I added positive remarks to myself, relatives, and my beloved country(Nigeria) instead of acting otherwise.

What I learn from it
1. If you mistakenly develop an accurately working software(web, mobile, desktop…) without understanding the fundamentals of the building
of software(Computer science), then you are just wasting your time.
The money you have earned might not last as you expect,
and you have a high tendency of getting replaced in the nearest future.

2. Only very few organizations hired qualified software engineers who nicely understand computer science fundamentals,
organization nowadays only cares about “Get it done”

3.If you are not ready to become a software engineer or related(I advise not to waste your precious time learning how to code), instead use that time for something else.

Have I ever worked with (https://aau.ac.ae/) on anything prior to this event?
1. No,

How it was fixed

1. Ensure that the .git directory is not being indexed and the directory, subdirectories, and all files are inaccessible using server permission rules.

Message :

Be sincere and take realistic steps before learning anything.
If you are not ready to play a game, I advise you not to move near the pitch.
Real success requires consistency with dedication