Settings.yml config possibly reveals personally identifying information onto the open internet

[kylesoskin]

HI I am new to this codebase so forgive me if this is not the place to raise this concern.

In some initial poking around I noticed that there are many (I assumed real, if they are fake then ignore this) email addresses and list-shares/email groups in this file.

https://github.com/department-of-veterans-affairs/vets-api/blob/d3176d80e725886188fa2d9c6c79471ed5405255/config/settings.yml

Exposing emails, especially grouped together like this has been frowned upon in my past experiences and provides a better attack vector for phishing scams.

For example, looking at this section:

vets-api/config/settings.yml

Line 570 in d3176d8

# Settings for Education Benefits report uploading

I could email a person in one of those emails and use one of the other emails from the same place/group as the spoofed/from email. This would make the phishing attempt more personalized and more likely to work. Additionally I could context clues from the same doc to craft a more relevant subject for the email to further increase credibility.

IE a bad actor could do:

from(spoofed): Brian.Grubb@va.gov
to: kyle.pietrosanto@va.gov
subject: Urgent education benefits issue

All from info from this publicly expose file.

Additionally there is a list of users who are admin users here:

vets-api/config/settings.yml

Line 786 in d3176d8

admin_user_emails:

Which makes hacking in easier if I already know what accounts I need to go after to get admin access/phish for the password.

Also having them exposed here just makes them easier for web-crawlers to find and send spam too, which is especially bad if there are listserves/email groups, which there are in here.

Brought this issue up on a call with @td-usds (I think I have his git handle correct).

This should probably be taken out and read in via env variable or kept as a secret in k8s or in some way in whatever manor this is deployed.

Thanks!