SaToSS is focused on formalizing and applying formal reasoning to real-world security problems and trust issues.
In the framework of our research, we perform vulnerability testing of existing systems.
In executing and reporting these tests, we follow our internal code of conduct with respect to vulnerability testing
Below, we give a selection of anonymized incident reports.
- (January 2012) We discovered a vulnerability in an online lottery organized by a Luxembourgish company. By testing the reliability of the access security parameters in the url, we were able to 'win' the lottery without possessing the winning lot. In order to disclose the technical problem and prevent the risk of a potential financial loss for the company, we reported the vulnerability to the company in question, which subsequently acknowledged the vulnerability and decided to pursue its resolution.
- (February 2012) We discovered a vulnerability in a Luxembourgish government website, which allowed third parties to execute arbitrary SQL queries (SQL injection) on the server. Moreover, we discovered that as a consequence of this vulnerability, more than 100 other websites that were hosted on the same server, among which some were closely linked to the government, critical infrastructures or sensitive sectors, were also vulnerable.
When exploited by a malicious attacker, this vulnerability could potentially have the following negative consequences:
- disclosure of user names and passwords of user accounts of several websites
- disclosure of confidential data stored on the databases of these websites
- possibility for unauthorized outsiders to change data
- loss of integrity of the data stored in the databases
To prevent these risks, we reported this vulnerability to GovCert.lu (the governmental Computer Emergency Response Team). GovCert.lu acknowledged the vulnerability, and reported it to the provider hosting the vulnerable websites, which subsequently resolved the vulnerability.