I was googling someone's email address the other day and was able to access the admin panel of a corporate mailing list management software where I was able to view their data and accessed every email they had, including notes about them.
Totally messed up. I didn't try but knowing the slugs now I recon not too hard to find similar instances
There is a talk from a security researcher about visiting random HTTP servers exposed to the internet.
He found the control panel for a power plant, an ice skating rink, traffic lights, etc.
There was even a button that you could press to put the traffic lights on test mode, that had a message saying "Warning: injury or death can occur".
No authentication was required for any of those systems. Why? because some people wrongly believe that not being behind a domain name and not being on a search engine (other than shodan, of course), makes their shit secure.
That's why sometimes I think working in IT or software should require a license.
Until then, it would be helpful if projects prompted during installation to setup authentication (and didn't continue without) and were bound to localhost.
I wonder why MySQL and postgresql databases don't show up on these lists.
The presentation mentioned below in the thread is not bad.Sounds like its the one you were referring to, but for complete madness and awe I recommend to watch this one:
"115 batshit stupid things you can put on the internet in as fast as I can go" by Dan Tentler
There is a point where they find a large Dam in France with water gates control available in the Internet. They use the US Embassy to contact the French government department responsible and urgently do something about it.
They are told: "Not right now, we are currently on holidays..." :-)
The idea was not to detect how many databases are there on the internet, but rather unauthenticated/vulnerable ones. It is possible that the databases exist on US west coast, but aren't vulnerable. The maps were generated using ipinfo.io (linked in the article).
This can be mitigated (at least to some extent) if database vendors forced requirement of passwords (at least semi strong) during installation, no? Is there a reason why I should be allowed to access a database (even if it is local, on my laptop) without a password?
25 comments
[ 3.3 ms ] story [ 65.6 ms ] threadTotally messed up. I didn't try but knowing the slugs now I recon not too hard to find similar instances
Of course this only happens if you fail to exclude this in robots.txt, so there’s probably plenty more wide open but not indexed.
He found the control panel for a power plant, an ice skating rink, traffic lights, etc.
There was even a button that you could press to put the traffic lights on test mode, that had a message saying "Warning: injury or death can occur".
No authentication was required for any of those systems. Why? because some people wrongly believe that not being behind a domain name and not being on a search engine (other than shodan, of course), makes their shit secure.
That's why sometimes I think working in IT or software should require a license.
I wonder why MySQL and postgresql databases don't show up on these lists.
IMO the problem isn't lack of training or another licensing scheme but the lack of budget companies allocate to QA & Security.
When you know you can lose your license, being a duct tape programmer becomes a liability.
People will want to understand what they do, and be reluctant to work for tech debt mills.
As a result, tech debt mills would die and be forbidden from making software. It would be a wonderful world.
"115 batshit stupid things you can put on the internet in as fast as I can go" by Dan Tentler
https://youtu.be/hMtu7vV_HmY
There is a point where they find a large Dam in France with water gates control available in the Internet. They use the US Embassy to contact the French government department responsible and urgently do something about it. They are told: "Not right now, we are currently on holidays..." :-)
Heh.
Why must we reinvent everything? Even obvious things…
https://www.eyeofjustice.com/od/
https://opendirsearch.abifog.com/