Flock Safety is a Software as a Service (SaaS) web application designed to assist organizations in enhancing public safety through advanced analytics and integration with geographic information systems (GIS). As part of a routine front-end security review, I identified embedded secrets within the front-end application that could potentially be exploited for unauthorized access, underscoring the critical need for strong security practices in tools vital to community protection.
Approximately one year ago, I conducted a review of the front-end web code using Chrome Web Browser. During my review of the loaded JavaScript, I noticed something troubling: embedded secrets were present in the code that was loaded in the admin portal before login is established. These secrets could potentially be used to gain unauthorized access to sensitive systems.
I created a demo account with ARCGIS and using these embedded secrets, I was able to place the ARCGIS Production layer on a demo account. While I didn’t delve deeper into manipulating any data, my initial tests revealed read access to public information, such as camera locations. This was concerning enough on its own.
In this case, I chose not to escalate my findings beyond reading public data. However, the potential consequences of such a breach are profound. If malicious actors had gained access to the ARCGIS server or other internal systems, it could have led to data loss, financial fraud, or even physical harm if sensitive camera locations were misused. Thankfully, Flock Safety took swift action to resolve the security issue and strengthen their system against future threats.
Flock Safety was publicly disclosed via public contact form on https://www.flocksafety.com nearly a year ago. I delayed the release of the findings out of respect for the situation. I would recommend that all corporations have a Vulnerability Disclosure Program (VDP) to facilitate communications with Security Analysts who do Ethical Disclosures. I never received a response from Flock Safety but did verify that the key has been removed from the source file and was rotated.
This experience serves as a stark reminder that security isn’t a one-time fix—it’s an ongoing process. Organizations must invest in regular automated scans, manual pen-testing, and employee training to stay ahead of potential threats. By fostering a culture of continuous improvement and vigilance, companies can minimize their exposure to vulnerabilities like the one I encountered.
While this particular incident didn’t result in catastrophic consequences, it’s a wake-up call for everyone involved in web application security. Let this serve as motivation to double down on your security practices and ensure that your systems are as robust as possible. The stakes are too high to take anything for granted.
Leave a Reply