Threat Hunting - Clear Text Credentials in the URL

Threat Hunting - Clear Text Credentials in the URL


One of the interesting cases from the Talanos threat hunting team sessions was the discovery of the clear text credentials passed as parameters in the URL which belonged to the supplier’s website.

This is a huge security issue, because the threat actors use every opportunity to gain access to corporate networks, and their focus expands to the suppliers as well, escalating into supply chain attacks, which are very damaging and can serve as an entry point into corporate networks.

A supply chain attack is a type of cyberattack that targets a trusted third-party vendor who offers services or software vital to the supply chain.


The analysis of the logs revealed exposed credentials in the URLs (links), which were part of email communications between the client and supplier. This case was particularly concerning because the URL contained a complete set of credentials – username and password - passed as parameters.

The look of the URL (with the sensitive information removed):

Also, in this particular case, the username matched the password (USERNAME=PASSWORD), and both failed on all possible password complexity checks with password containing 3 static capital letters and 3 digits. It doesn't take long for the attackers to crack the password of 6 characters.

Because of such a simple password structure, Talanos threat hunting team managed to enumerate a good number of the accounts by manipulating the dynamic part of the password and avoiding using the tools for website login attacks, this way simulating threat actors and completely avoiding detection by the blue team, because no active tools were used for enumeration and logins, and the credentials were valid.

After gaining full access to the multiple accounts on the supplier’s website, a Cyber Security Incident was raised with the client and Incident Response actions were triggered.


After the Initial Access, Talanos' threat hunting team managed to extract minimal personal details, with the notable details being:

    • Name
      • Surname
        • Email address
          • Job title (related to the website)
            • Telephone

                The compromised accounts were the accounts of the users who were tasked to raise various orders with the supplier on behalf of the organization, and some of the accounts had roles in authorizing the orders immediately.

                This collected information has a massive potential for future spear phishing campaigns.

                Also, there are other security related issues regarding this case:

                • URLs show up in your browsing history. If the user’s machine is compromised by unauthorized access or malware, the credentials can be extracted very easily.
                • Web servers and firewalls are logging incoming requests. The exposed credentials will show up in these logs, increasing the risk of a credentials leak.
                • If the website's URL shows you your password in plain text, that probably means they are also storing it in a clear text format. So, if there ever happens to be a breach of their database, your password will be disclosed.

                Imagine how disruptive it would be in the supply chain, if hundreds of accounts, used to order various supplies across multiple business units, place an order for £5000 or more and have a password reset immediately after? 

                It will cause significant chaos and confusion, also because this will be declared as a cyber incident, all supply chain operations will be halted till the investigation and all Incident Response steps will be completed.


                Based on the assessment of this cyber security incident, the following recommendations were raised for the client:

                • Create unique username and password pairs, with the passwords meeting up-to-date complexity requirements.
                • Implement MFA (Multi-factor Authentication) where it is possible.
                • For the owners of the supplier’s website, implement End-to-End encryption of the customers' data.

                This case is a good example of missing a critical area of any business – supply chain. Often, all defenses are focused on business units and people working for the organization, and the supply chain gets less attention than it should.

                Some of these factors make it more difficult for the defenders to do their assessments regarding the supply chain:

                • Lack of visibility and monitoring of supply chain operations.
                • It needs both sides (client and supplier) to raise and remediate issues proactively.
                • Security might have different maturity levels for each side.

                These are the many challenges the blue team is facing today. But the right mindset and efforts can move mountains.

                Please protect your supply chains.