Energy Department patched flaws enabling email impersonation in critical minerals system

The Energy Department recently fixed an identity verification flaw in a portal supporting its critical minerals programs after a security researcher found the system allowed outside users to register with email addresses that appeared to belong to the department.

According to the researcher, Ronald Lovelace, the portal linked to the Office of Critical Minerals and Energy Innovation had allowed users to register or operate accounts that appeared to be associated with legitimate Energy Department email addresses without properly verifying ownership of those accounts.

The vulnerabilities could have let cyberspies present themselves as Energy officials within the system, potentially misleading researchers, contractors or other top officials who use the platform for program-related communications.

Officials have repeatedly described critical minerals work as economically and strategically sensitive. This particular Energy Department office coordinates efforts to secure domestic supplies of minerals essential to energy technologies and advanced manufacturing, while supporting research and funding initiatives ...