Skip To main content
is/en

Public disclosure for a healthier cybersecurity culture

Landspitali is the leading hospital in Iceland and the largest workplace for employees in health care. It is funded by the Ministry of Welfare, supervised by the Directorate of Health and provides specialised and general care and has the capacity of approx. 700 beds. To say that it is an important organisation in Iceland is an understatement and almost every Icelander relies on their services in some way.

Coordinated and public disclosure of vulnerabilities is an extremely important part of building a stronger cybersecurity culture as well as strengthening supply chains. Having organisations share vulnerabilities identified and fixed so that others can learn from them is critical to the goal of ensuring safer digital communities. To that end Landspitali has taken a bold step towards improving Iceland’s digital safety by not just simply fixing a reported vulnerability, before any incident occurred, but also by allowing the public disclosure of all vulnerabilities submitted to them via Defend Iceland.Today we start that journey by discussing a critical security vulnerability that was discovered through their Defend Iceland bug bounty program.

For those who want to dive into the technical details, you can find the full report here. For everyone else, let's break this down in simpler terms and discuss why this is such a huge deal.

The Vulnerability: What Happened?

Security researchers from Defend Iceland discovered a serious weakness in one of Landspítali's employee authentication systems. A publicly accessible CMS (content management system) had no restrictions on login attempts, meaning attackers could try thousands of password combinations until they found a match. Brute forced credentials that were subsequently identified through password spraying were then used to access cloud resources like Office 365 which, in some cases, allowed attackers to register multi-factor authentication (MFA) to themselves for users that hadn’t completed the multi-factor enrollment process, effectively locking out the legitimate users and assuming their identity and access to internal hospital resources.

This type of vulnerability could potentially have led to unauthorized access to sensitive information, including emails, internal documents, and other sensitive data. In the worst-case scenario, attackers could have escalated privileges within Landspítali's IT environment, potentially compromising the entire hospital domain resulting in a ransomware attack. That would effectively be the worst case scenario for our community and what we are trying to defend against.

The Importance of MFA (and Why Enrollment Matters!)

MFA is one of the most effective security measures we have today. When enabled, even if someone steals your password, they can’t log in without a second factor - usually a code sent to your phone or an authentication app.

However, here’s the catch: If users don’t complete the MFA setup process, an attacker who gains access to their account may be prompted to set up MFA themselves. This means the hacker can lock the real user out of their own account! This is exactly what could have happened at Landspítali had this vulnerability gone undetected and been abused by a malicious third-party.

The takeaway? MFA should not only be required - it should be actively enforced to ensure users complete the setup. Otherwise, attackers can use this security feature against us. This is what Landspitali hopes to share so that others can learn and help proactively address potential threats.

Why This is a Game-Changer for the Security Culture in Iceland

Instead of sweeping this under the rug and just silently fixing these vulnerabilities, Landspítali has embraced transparency by allowing the public disclosure of this report. This is huge for security culture in Iceland. Too often, organizations try to hide security flaws, fearing reputational damage. The reality is that every system has vulnerabilities - it’s how we deal with them that matters.

By openly sharing this information, Landspítali is helping everyone in Iceland (and beyond) to better understand cybersecurity threats and how to defend against them. This kind of transparency sets a precedent for other institutions to follow. It signals a shift toward a culture of learning, improvement, and resilience.

The Role of Bug Bounty Programs (and Why It’s Awesome Landspítali is Doing This!)

Bug bounty programs allow IT professionals and ethical hackers that we call Defenders to test security systems and report vulnerabilities before malicious actors can exploit them. It’s a proactive approach to security that has been adopted by major tech companies, governments, and now, Iceland’s main hospital.

Think about it - by participating in a bug bounty program, Landspítali is actively investing in cybersecurity, welcoming external expertise, and demonstrating a commitment to protecting its staff, patients, and our community. 

That’s something worth celebrating!

What Could Have Happened & What Was Prevented?

Had this vulnerability remained undiscovered, attackers could potentially have:

  • Gained access to sensitive hospital communications
  • Stolen sensitive data
  • Locked hospital staff out of their accounts
  • Escalated privileges to take over more critical systems

Instead, thanks to the Defender who reported this vulnerability and Landspítali’s IT team, these risks were mitigated. The IT team has since taken steps to secure the affected accounts, enforce better authentication policies, and strengthen their overall cybersecurity posture.

Looking Ahead: Defend Iceland & Landspítali’s Ongoing Partnership

This isn’t a one-time event - Defend Iceland will continue working with Landspítali to find and fix vulnerabilities before they become real threats. This partnership is a model for how ethical hacking, transparency, and a strong security culture can make Iceland a safer place, both online and offline.

Landspítali has set an incredible example. Cybersecurity is a shared responsibility, and by embracing collaboration and openness, they are leading the way toward a more safer digital future for everyone in our community.

Kudos to Landspítali for taking this bold step, and to all the ethical hackers out there helping to make the internet a safer place!

Stay secure, stay vigilant, and if you work in IT - make sure MFA is enforced and completed!

Aðrar fréttir

Sjá allar fréttir

Multiple Landspitali Employee Domain Accounts at Risk of Compromise

This report details a critical security vulnerability discovered within Landspitalinn's systems through the Defend Iceland bounty program. A series of chained vulnerabilities and misconfigurations were identified, allowing attackers to compromise multiple employee credentials and register multi-factor authentication (MFA) to themselves.
Lesa meira

How I found all corporate usernames in Iceland

One of my favorite methods to gain initial access to companies is finding valid credentials. If your target is just one employee, this might be near impossible. But what if you have hundreds, or even thousands of targets? What if the target victim is anyone in Iceland? Then gaining valid credentials goes from near impossible to near certain.
Lesa meira

When Retired Domains Come Back to Haunt: The Hidden Risk of Legacy Corporate Assets

Organizations evolve through mergers, acquisitions, and rebranding. Old domains get retired, but what happens when those domains can still receive password resets or act as the login email for third-party services for the previous owner? This post reveals an overlooked vulnerability we've seen through Defend Iceland's bug bounty platform: expired corporate domains that remain deeply embedded in third-party SaaS accounts. When these domains become available for registration, attackers can inherit access to SaaS accounts that still use the retired email domain for login or recovery. We'll show you exactly how this happens and why "just let it expire" is a dangerous domain retirement strategy.
Lesa meira

XSS Beyond the Perimeter: When Internal Systems Become Attack Surfaces

Cross-site scripting (XSS) is often treated as a problem that ends at the public perimeter. In reality, customer input does not stop at the landing page. It flows into CRMs, ticketing consoles, and internal dashboards that may never have faced a penetration test. This walkthrough, based on real reports to Defend Iceland, shows how a harmless contact form can compromise the helpdesk staff who read it. To illustrate the chain end to end, we built a Netbankinn-themed lab that mirrors what we see in production environments. The public site is squeaky clean. The internal system is not,
Lesa meira

Where Unicode Collation Meets Punycode Domains: A Zero-Click Account Takeover

This post explains a subtle Unicode/Punycode pitfall that can appear in modern authentication flows. It highlights how a normalization mismatch enabled a zero‑click account takeover (ATO) scenario and how to remediate it safely. This vulnerability was reported through Defend Iceland's bug bounty platform, affecting one or more customers. The independent security research surfaced a subtle authentication quirk worth sharing with the broader community. For engineers, it's a clear lesson about the intersection of database collation and internationalized domains creating unexpected attack vectors.
Lesa meira

Hvernig villuveiðigáttir hjálpa þér að uppfylla NIS2

Ný tilskipun Evrópusambandsins um net- og upplýsingaöryggi, NIS2, er yfirvofandi og gerir auknar kröfur til mikilvægra og nauðsynlegra aðila um netöryggi, áhættustýringu og upplýsingagjöf. Fyrirtæki sem falla undir tilskipunina þurfa nú að sýna fram á aukna öryggisvitund, skilvirkari viðbragðsáætlanir og betri stjórn á veikleikum. Ein skynsamleg og hagkvæm leið til að ná þessum markmiðum er með villuveiðigáttum og stefnu um ábyrga upplýsingagjöf öryggisveikleika (e. coordinated vulnerability disclosure).
Lesa meira
Tilkynna veikleika

Þessi vefsíða notar vefkökur (e. cookies) til að bæta upplifun notenda af síðunni.