Security through Obscurity



  • While going through the system outlined in “That 1 Special Category“, I noticed some other odd things.

    The system was designed to be used from within an iFrame embedded in my company’s website.  As such, the developers of the system never expected anybody to see the URLs of the different pages.  For my purposes, I need to break out of the iFrame, and view just the system itself (which is as simple as just View>This Frame).

    With the system in plain view now, I noticed that the URLs were a bit strange, considering the developers were using PHP session variables & hidden forms (submitted via Post) already.  The system apparently used the Get method of communicating with the server as well.

    Most of the URL contents was uninteresting.   Though,  foo=bar was more than a bit telling – obviously, as if the rest of the system weren’t enough, the developer(s) were first-time PHP users who probably followed several disparate tutorials to hack together the functionality of the system.

    One of the last Get variables however was: admin=false.  “That’s interesting.  I wonder what happens if I change it to ‘true’”, I thought.  I changed it to true, and I was greeted by the admin interface.

    From here I could do all kinds of things, including emptying the entire database (which I suspect held data for more than just my company).

    Given that experience, I wondered what might happen if I entered a bad value for one of the other parameters.  Changing catID to a known bad value caused PHP to present me with an unfiltered error message – one of those really helpful ones which shows the complete server path to back-end files end users shouldn’t know about.

    Pointing my browser to the file which threw the error brought up a download file dialog – the developers used a “.inc” extension for PHP includes, which isn’t parsed by the PHP engine, so Apache served it up as a standard file download.  Now I had a lovely file filled with source code (which the developers didn’t comment), and all kinds of details like server configurations, passwords, and so on.

    With this information in hand, anyone could do pretty much whatever he or she wanted.  And I somehow doubt that the company who developed this system is making regular back-ups.

    Beyond that, looking at the source code proved to me that the company was lying about its claims as to how their service worked.  According to their marketing material, all the data in the system was reviewed and matched by a team of industry experts, and that was their justification for charging for this service.

    In reality, the system merely executed a poorly designed MySQL query on a varchar(255) field.

    The really sad thing is that this is the only company offering this service.  With a little start-up money, and some research, I could easily corner the market.  Well, when the bar is set so low, I think just about anyone could corner the market.



  • Pro Tip: Put a hat on and some high heeled shoes, and keep your head down when you go to the library to blow away their database.



  • Do you also have access to everyone's credit card information through admin=true? If so, find the developer's credit card and email it to him.



  • admin=file_not_found



  • Step 1: Dump their database using the passwords you found

    Step 2: Set up your own service

    Step 3: ???

    Step 4: PROFIT!

    Step 5: Get sued for hacking but waive that with the DMCA exception for "inadequate protections"


  • 🚽 Regular

    @jasmine2501 said:

    Pro Tip: Put a hat on and some high heeled shoes, and keep your head down when you go to the library to blow away their database.
     

    I echo this. Knowing the incompetence of these morons, if you come forward with what you found they'll accuse you of hacking their system and will fire you, if not seek legal action. Better to get them hacked from an unknown user in a library that they'll never find, and then ask you to fix it for them. You'll come out as the hero before you break their hearts telling them you quit.



  • @RHuckster said:

    Better to get them hacked from an unknown user in a library that they'll never find, and then ask you to fix it for them.

    Why would they ask him to fix it? He doesn't work for the company that makes the crummy product-- he works for the company that bought the crummy product.


  • 🚽 Regular

    @blakeyrat said:

    Why would they ask him to fix it?
     

    Because they're incompetent morons.



  • @RHuckster said:

    @blakeyrat said:

    Why would they ask him to fix it?
     

    Because they're incompetent morons.

    The only way they'd even know who he is if he came up to them and said, "hum, that product I have some experience with seems to have suffered a... critical failure. Sure would be a shame if there was nobody with, oh say, this backup of the data I have right here..."

    And then you're way over the line into organized crime territory.



  • @KrakenLover said:

    The system was designed to be used from within an iFrame embedded in my company’s website.  As such, the developers of the system never expected anybody to see the URLs of the different pages. 

    That's a really strange assumption made by those developers, for two simple reasons:

    1. How would the developers know that your company has this in an iFrame / How do other customers use it?

    2. Even from within an iFrame you can trace the URLs with Fiddler and such...

    That's two major flaws in their unencrypted URL approach...



  • @steenbergh said:

    @KrakenLover said:

    The system was designed to be used from within an iFrame embedded in my company’s website.  As such, the developers of the system never expected anybody to see the URLs of the different pages. 

    That's a really strange assumption made by those developers, for two simple reasons:

    1. How would the developers know that your company has this in an iFrame / How do other customers use it?

    2. Even from within an iFrame you can trace the URLs with Fiddler and such...

    That's two major flaws in their unencrypted URL approach...

    The same kind of developer probably doesn't understand that one can turn Javascript off, or use a myriad of other things (eg Firebug/Developer Tools)


  • @jasmine2501 said:

    Pro Tip: Put a hat on and some high heeled shoes, and keep your head down when you go to the library to blow away their database.

    How is looking like a crossdressing weirdo going to make him/her less conpicuous?

    Protip: use something that conceal your identity without standing out, blend in.  Also go somewhere that can't be tyed to you, etc, etc.



  • @serguey123 said:

    Protip: use something that conceal your identity without standing out, blend in.  Also go somewhere that can't be tyed to you, etc, etc.

    Just change your MAC address (or use a cheap throwaway cellphone or netbook, if you're really serious) and head to Starbucks. No need for disguises, by the time anybody's looking for you they'll never seen that MAC address again. (And that's even assuming they have enough clout to get the Feds to talk the ISPs into bothering to look for it.) (Also assuming that 1. these idiots keep web logs, 2. Starbucks can associate an IP+time with a store, and keep their logs as well) (Considering how unlikely those are, you're free and clear.)



  • @blakeyrat said:

    @serguey123 said:
    Protip: use something that conceal your identity without standing out, blend in.  Also go somewhere that can't be tyed to you, etc, etc.
    Just change your MAC address (or use a cheap throwaway cellphone or netbook, if you're really serious) and head to Starbucks. No need for disguises, by the time anybody's looking for you they'll never seen that MAC address again. (And that's even assuming they have enough clout to get the Feds to talk the ISPs into bothering to look for it.) (Also assuming that 1. these idiots keep web logs, 2. Starbucks can associate an IP+time with a store, and keep *their* logs as well) (Considering how unlikely those are, you're free and clear.)

    Err, I was not being serious and I'm pretty sure jasmine wasn't. I don't give that kind of advice in offchance of an aiding and abetting charge.

    Anyways it depends largely of the country you are at, this might work in the USA but I'm not sure about China for example ;)



  • @serguey123 said:

    conceal your identity without standing out, blend in.
     

    Something like white clothes and hood, with a bright red ribbon around your waist, a small sword on your back, a huge stonkin' knife belt and a large mechanical, armoured glove with a fat stabber in it. Also walk slowly with your hands to your mouth, as though deeply in thought.

    Nobody'll suspect a thing.

     



  • @dhromed said:

    @serguey123 said:

    conceal your identity without standing out, blend in.
     

    Something like white clothes and hood, with a bright red ribbon around your waist, a small sword on your back, a huge stonkin' knife belt and a large mechanical, armoured glove with a fat stabber in it. Also walk slowly with your hands to your mouth, as though deeply in thought.

    Nobody'll suspect a thing.


    +1

    btw aliens ruined that game for me



  • @serguey123 said:

    Err, I was not being serious and I'm pretty sure jasmine wasn't. I don't give that kind of advice in offchance of an aiding and abetting charge.

    Man is that really a crime? I have a few buddies, and half of what we talk about is spitballing effective terrorist tactics. (Protip: go for the power grid. High tension power lines, cellphone detonators, rural areas patrolled once a week at most.)

    Oh shit, now I'm doubly going to jail.



  • @blakeyrat said:

    Man is that really a crime? I have a few buddies, and half of what we talk about is spitballing effective terrorist tactics. (Protip: go for the power grid. High tension power lines, cellphone detonators, rural areas patrolled once a week at most.)

    Oh shit, now I'm doubly going to jail.

    It depends, I try not to give them the chance to put me in Gitmo, is the same with code samples, I don't give those unless they are pretty basic, I don't want to be liable for a script kiddy misgiving, sadly that is the state we live on, unless the people grow some balls and stand up to their rights.



  • @RHuckster said:

    @blakeyrat said:

    Why would they ask him to fix it?
     

    Because they're incompetent morons.

    More reason why they wouldn't ask for help. http://en.wikipedia.org/wiki/Dunning%E2%80%93Kruger_effect




  • @intertravel said:

    See also http://opinionator.blogs.nytimes.com/2010/06/20/the-anosognosics-dilemma-1/

    Great article. I agree with Dunner that the "unknown unknowns" quote was actually refreshingly honest. I never figured out why people gave Rumsfeld flak for it.



  • @blakeyrat said:

    @intertravel said:
    See also http://opinionator.blogs.nytimes.com/2010/06/20/the-anosognosics-dilemma-1/

    Great article. I agree with Dunner that the "unknown unknowns" quote was actually refreshingly honest. I never figured out why people gave Rumsfeld flak for it.

     

    The probable reason people made fun of it is that it sounds funny to the way most people in the US talk, even if he immediately explained it.



  • @locallunatic said:

    @blakeyrat said:

    @intertravel said:
    See also http://opinionator.blogs.nytimes.com/2010/06/20/the-anosognosics-dilemma-1/

    Great article. I agree with Dunner that the "unknown unknowns" quote was actually refreshingly honest. I never figured out why people gave Rumsfeld flak for it.

     

    The probable reason people made fun of it is that it sounds funny to the way most people in the US talk, even if he immediately explained it.

    Well, it's a hard concept to explain, since by definition you don't know what the things you don't know you should be asking are. I think "unknown unknowns" is a pretty concise and clear way of putting it, personally. But yes, I can see how people would think it sounds funny.

    In any case, even if it was near-gibberish, it's refreshing to see a politician at his level admit there's stuff he doesn't know-- especially when talking about terrorism intelligence! That gets respect points from me.



  • Build a competing system from scratch. Preferrably one that not only does what these guys do, but one that actually works as it should and without the god-awful security!



  • @serguey123 said:

    How is looking like a crossdressing weirdo going to make him/her less conpicuous?

    Because then they'll be looking for a "cross-dressing weirdo". Which is only helpful if the person they're looking for [i]is[/i] a cross-dressing weirdo.

     



  • @Watson said:

    Because then they'll be looking for a "cross-dressing weirdo". Which is only helpful if the person they're looking for is a cross-dressing weirdo.

    So, if this isn't your regular attire, then you should definitely go to a public place to hack this godforsaken system in this (or similar) get up.

    Frank N. Furter



  • @Douglasac said:

    So, if this isn't your regular attire, then you should definitely go to a public place to hack this godforsaken system in this (or similar) get up.

     

    Ah, good times those were when that attire made you inconspicuous.


  • @Ilya Ehrenburg said:

    @Douglasac said:

    So, if this isn't your regular attire, then you should definitely go to a public place to hack this godforsaken system in this (or similar) get up.

     

    Ah, good times those were when that attire made you inconspicuous.

    A KISS concert or The Rocky Horror Pciture Show?



  • @blakeyrat said:

    I never figured out why people gave Rumsfeld flak for it.
    Because they opposed his politics, and were able to damage his reputation by quoting him out of context.



  • @intertravel said:

    @blakeyrat said:
    I never figured out why people gave Rumsfeld flak for it.
    Because they opposed his politics, and were able to damage his reputation by quoting him out of context.

    But that is the heart of politics and journalism, citing people out of context so that they appear as idiots unless they are idiots we like



  • @serguey123 said:

    @jasmine2501 said:

    Pro Tip: Put a hat on and some high heeled shoes, and keep your head down when you go to the library to blow away their database.

    How is looking like a crossdressing weirdo going to make him/her less conpicuous?

    Protip: use something that conceal your identity without standing out, blend in.  Also go somewhere that can't be tyed to you, etc, etc.

     

    http://en.wikipedia.org/wiki/Where_in_the_World_Is_Carmen_Sandiego%3F_%28game_show%29



  • @stratos said:

    @serguey123 said:

    @jasmine2501 said:

    Pro Tip: Put a hat on and some high heeled shoes, and keep your head down when you go to the library to blow away their database.

    How is looking like a crossdressing weirdo going to make him/her less conpicuous?

    Protip: use something that conceal your identity without standing out, blend in.  Also go somewhere that can't be tyed to you, etc, etc.

     

    http://en.wikipedia.org/wiki/Where_in_the_World_Is_Carmen_Sandiego%3F_%28game_show%29

    Loved the first game, never played the others nor watched the show



  • @serguey123 said:

    @Ilya Ehrenburg said:

    Ah, good times those were when that attire made you inconspicuous.

    A KISS concert or The Rocky Horror Pciture Show?

     

    The Rocky Horror Show, or, rather, the 70s (and early 80s) in general. We were young, we had fun, the future was ours (and the music was better too).


  • Trolleybus Mechanic

    @Ilya Ehrenburg said:

    The Rocky Horror Show, or, rather, the 70s (and early 80s) in general. We were young, we had fun, the future was ours (and the music was better too).
     

    It still is-- until 20 years from now, when it will all suck again. Stupid kids.



  • @Lorne Kates said:

    @Ilya Ehrenburg said:

    The Rocky Horror Show, or, rather, the 70s (and early 80s) in general. We were young, we had fun, the future was ours (and the music was better too).
     

    It still is-- until 20 years from now, when it will all suck again. Stupid kids.

    You suck now. Sorry to break this to you.


  • Trolleybus Mechanic

    @blakeyrat said:

    @Lorne Kates said:

    @Ilya Ehrenburg said:

    The Rocky Horror Show, or, rather, the 70s (and early 80s) in general. We were young, we had fun, the future was ours (and the music was better too).
     

    It still is-- until 20 years from now, when it will all suck again. Stupid kids.

    You suck now. Sorry to break this to you.

     

     

    Stop bringing me down, The Man.


Log in to reply