Open Source Community Kampala

Spreading awareness to governments (Bank Of Uganda)

By Oscakampala cyber security branch: For educational purposes only

WarrenMu's photo
WarrenMu
·

2 min read

Spreading awareness to governments (Bank Of Uganda)

Hello readers. I'm WARREN alias WarrenMu. An ethical white hacker who has a heart for his country.

Recently I was too bored that I thought of watching a hacking movie like "Who am I, no system is safe" kind of movie but I was too bored for that too. I opened up one of my laptops to navigate the internet for one and in the process a thought hit me, how safe are the banks of my country, Uganda?

I used Google Dorking to find some potentially weak sites that haven't been updated with time, nevertheless, they were too normal to acquire my attention.

I thought of the Bank of Uganda and I did some passive recon on it. I found very potential bugs that I won't disclose publicly to exploit since I have no permission to.

First I went to The Ministry of Finance to aid me approach the main bank security team of which I was directed to Nita Uganda. Taking you back, I disclosed a vulnerability in the Ministry of Finance login panel to their CMS that I had a presentation with them and was fixed ASAP.

I talked to the security Analyst of Nita after talking to one of the helpful workers I was referred to from the Ministry of Finance Mr. Xxx. (not disclosing their names).

After 24hrs, there was no response. (WTF!!). I mean, does the government care about critical issues in their systems?

I decided to go to the Bank of Uganda myself, don't forget that all I'm using are my resources including transportation fees. sadly, I was bounced at the reception even after explaining to them as an emergency. (Dummies!! lol)

I and an open source python engineer from the open-source community Kampala have decided to write about it and hopefully, it can move to responsible people.

Today's agenda is to call out on cyber security experts in Uganda to come out and we as one, find a solution to this, if a malicious threat actor lands on these bugs... (but who cares, right! Or is it!!!)

This bug can be chained to an RCE (remote code execution).

I hope this can reach the eyes and ears of our big bank because privately I've been bounced out of my initiative. After some days from now, I'll be releasing the bug in my GitHub.

Stay safe and be blessed.