Debunking Fireplan.de disclosure email
I got the disclosure email sent to all their clients and the information is highly inaccurate
Recently I have been contacted by some Fire Departments asking if they were indeed affected by the Fireplan.de incident I published recently because apparently they had been told they weren’t.
Most of the information I was being told about the incident did not match what I found. I also got a copy of the email the company sent to their clients and when I translated it, most of the email contained information that in no way matched what I’ve seen so I’ll try to explain what exactly isn’t matching here.
A full English translation can be read here: https://pastebin.com/tEb8nd7i
I’ll quote parts of it and try to give further details on why I believe the information does not match.
The examples left out key information
“This vulnerability affected uploaded documents that can be added within a personnel file in the "Documents" tab (e.g. course certificates, certificates of participation, etc.).”
For some reason, the company gave as examples course certificates and certificates of participation and didn’t mention any drivers licence or any other type of document that was also exposed on it.
The reason I noticed the servers was because there were so many drivers licences exposed on them they kept showing up when I was looking at random pictures on my logs, leaving out the document that was in higher quantity on the exposed servers that I found seems odd.
They mention the Document tab, but the exposure was on multiple containers, I have the filenames for a small amount of servers on another container exposed but because I only noticed it after I had already reported this and it was closed down, I can’t exactly tell what was in that container for most of the servers.
I have no idea if there were more things exposed because after I found the 180+ servers I stopped looking for more, I had enough to try and ID whoever was responsible for this and wasn’t expecting them to make the claims they are making.
The timeline is off by at least 11 months
“The cause was an update of infrastructure components that we carried out on October 12, 2024.”
I reported on my original post that I saw on my logs this was exposed as far back as February 2024, but after I was told about the timeline the company was mentioning I got curious if this wasn’t even worse than I thought and decided I would go check my first logs from when I initially started scanning this cloud service.
I didn’t have a general log file with dates back then but the file listings have a creation date and it shows 3rd and 4th of December 2023. This is over 10 months before the company supposedly did an update that exposed the data.
This is also only the date I found it, this are the oldest logs I have, which means the exposure goes back further than that and only the company can actually tell how long.
The clients are not being informed
“Based on our analysis we did already inform all affected customers. If you did not get a direct contact earlier, you were not affected.”
I’ve talked about this on a smaller update I did on my infosec.exchange page that I also added to the original post but I will say it again and provide some more details so people can take their conclusions if they were not notified that they were affected.
At the day of publishing this I was asked for information about 6 different Fire Departments.
5 were on my list and most if not all of them were told they weren’t affected.
There was one that contacted me but didn’t show up on my logs. The reason is simply because the town name of the Fire Department was not on the list I grabbed online, I wasn’t trying to get every server, just confirm what I was looking at.
What I saw tells me that all servers were probably setup the same way, with the same naming scheme for server, files and the exposed containers.
I’ve heard about the update being phased out, therefore only affecting a small amount of clients, I don’t think there was any update here that phased through a whole year but maybe I just don’t know what I’m talking about. The logs I used to initially ID this exposure came from July 2024 and contained over 90 of the 180+ servers I eventually found when I searched for German towns.
The update post is missing?
Fireplan has a Blog & News tab on their website where they post about updates to their software. The last post is about a July 28th update and before that October 2023, there is no mention of a 12th of October 2024 update anywhere on their website or social media.
Fireplan wanted to talk with me
One of the Fire Departments who reached out to me, got in contact with the company with the information I provided them and apparently the company wanted to either get in contact with me or if I could send them an email to clarify which servers were exposed.
I declined this request and directed the company to the Data Protection Authority who initially contacted them and is handling this case @lfdi. They have a copy of the list I found and have been updated with all the information I have.
It makes no sense I’m the one who can clarify anything since I never had access to any of the cloud accounts the company uses, I don’t know exactly what they own and ended up exposed.
Some final notes and thanks
Every one who reached out to me has told me basically the same thing but with different wording “The issue here isn’t the exposure itself, mistakes happen, but how this is being handled by the company.” I don’t know why the information is so far off from reality, but I have been in contact with people involved on the Data Protection Authority side and have been updating them with the information I have, I also provided more information to the Fire Departments who reached out, hopefully Fireplan will give a more accurate update soon.
I would also like to thank Kaspar from @bucketchallenge for helping with the translation of the email sent by the company.