48 comments

[ 2.3 ms ] story [ 98.3 ms ] thread
By stating "Comunidad autonoma" without a proper English translation for the term (region, subdivision) I already knew the author should be a Spaniard, but setting up that in the clear in the "about" page it' s even worse.

With the "Usuarios" term it wouldn't be too bad, Latin/Greek technical terms mostly are the same in most English and Romance countries.

But, please, never give location info to anyone, FFS.

The best part of the post is certainly the Spanish author using target.com as a generic placeholder to explain the attack, when target is an actual chain with more than 300 stores :D
Substantially more than 300 stores. Per Wikipedia...

> The eighth-largest retailer in the United States, it is a component of the S&P 500 Index. [...] As of 2019, Target operated 1,844 stores throughout the United States.

Yeah, that's the first thing I noticed. It's incredibly irresponsible to post examples without using example.com in order to ensure you don't actually hit someone's web service.
Knowing what I know about these kind of consultancies and "concursos publicos" in Spain, I wonder if you saw any illegal or at least shady activity or conversations going on? Are you not concerned about being sued for this prodding? Spanish companies are known for prosecuting white hat hackers.
You meant I___a?
Given how most spanish companies work, more than likely.
Holy mac-shit-snacks! "..got access to the dashboard as a Super Admin in less than 1 minute. The password of this guy was the same as his username." AND credential reuse. Ouch.

Ding, Ding, Ding! I think we have a winner for the fastest way to the unemployment line.

(comment deleted)
Firing employees for not knowing proper security practices is like being a teacher and firing your student for not knowing the answers on a test.

The employer should be performing proper audits and password rotations and/or educating their employees. It should never be "stupid users", but "stupid me".

Not parent, but I reckon that a company might see "oh this employee didn't follow our clearly signposted security guidelines, let's just fire them and get on with our lives" as an easier way out than "we have to actually start to invest into security".

I'm not saying that's good, but I could definitely see it happening.

Yes unfortunately this is also the case - but many companies don't even have the "clearly signposted security guidelines" to begin with.
With GDPR you must take security into account from the design.

If you don't do this, the customer DPO might stop the project anytime, or you would have to undo all the reso it again untilt the DPO approves it.

I have no wish to start a flame-war here but I would politely disagree with your point of view. Even non-techie users are taught not to reuse credentials. Sure, they still do buuuttt...as an Admin for a 300+ client CMS system ... to not know any better is inexcusable. Even if they didn't know it at the time of starting out in the industry - at what point would they be so blind as to not know / have read about hacks of others and/or the existance of haveibeenpwned and seen the error of their ways?

Sorry but no. No.

> to not know any better is inexcusable

Where are they supposed to get this information if they're never taught it?

> at what point would they be so blind as to not know / have read about hacks of others and/or the existance of haveibeenpwned and seen the error of their ways?

Most people outside the tech departments have no idea what those things are. They think hacking is stuff that happens in movies, not in real life.

Sorry, but yes yes.

Umm this guy should tread lightly. Whats up with the prodding? This is some straight up blackhat hacking.
Yes, this crosses all the lines. You can debate the finer points of the SQL injection bit, but the moment he got into Rocket Chat admin and started gratuitously stealing employee cookies, there's just no way to paint that any color other than black.

As his bio states, he's a software engineer - clearly not a security professional, because he's steamrolling right through all infosec ethics.

A quick Google search for his username yields his GitHub with his real name, and he has a LinkedIn. He graduated from the same university as me.

Blackhat is not a good hobby, especially not with no opsec.

If I was interviewing the author for a role their complete disregard for infosec ethics would be a hard "no" from me - no matter how good they might be at interviewing.
I think this depends somewhat on how old they were - young people do stupid things.
His LinkedIn profile photo would indicate he's not exactly early-20s.
>Blackhat is not a good hobby, especially not with no opsec.

Putting your ident in the clear (or at least trivially bound to a real ID) is not better than having shitty security defaults.

Dude, I'm not comfortable posting source of my online radio, because it uses ytdl, and here a guy casually strolls into blackhat territory, downloads 3k tables (presumably from to his home computer, using home pc, bonus points if that happens at work), then logs in as super admin to an e-shop, effectively takes over someones company chat and steals employee cookies. And writes about it AND ADVERTISES ON TWITTER under HIS OWN NAME. Is he INSANE or taking coke by a handful? Dude, you want to be legally forbidden to use a computer? because that's how you get legally forbidden to use one.
"I thought about writing an email to these people, let them know about the vulnerabilities in their code, and the bad practices they have, but I didn’t at this point. I felt like I was able to find more things regarding this company."

Oof, that's bad behavior. I wouldn't be proudly blogging about this.

Once he found the SQL injection, downloading the tables was too far IMO.

On the other hand if he had stopped at this point, the company would have no idea about the weak admin credentials that could lead to real data breach and internal compromise at a later date.

If he has no malicious intent and is not going to view/sell or do anything malicious with the data, I think it’s fine or even beneficial for him to continue to find further vulnerabilities and then report the whole package of vulnerabilities to the company. As long as he wraps it up within a few hours or say max 24 hrs and then immediately reports after that.
Yeah, once I read that, the entire rest of the post had a suspect tone, even if it was very informative and enlightening (as someone with 0.00 infosec experience). I understand if you discover the vulnerability from curiosity and stop and report. But to keep going to “find more things [about] the company” seems pretty obviously illegal or at least gray morally.
Yeah, very poor judgement. What he did was deeply unethical and almost certainly illegal. You don't get a free pass to break into wherever you like simply because your intentions aren't malicious. That's what professional pen-testers are for.
I don’t think HN should be a place for “company shaming”… unless the author contacted the company and they denied/rejected/threaten him instead of fixing the issues. I guess it did not happen.

I see HN as a place for collective learning. I don’t see what we can learn from this post.

Which company is shamed in this post?
Well for one: his employer, who is identified in the clear his twitter bio which uses the same handle as his domain.
Two companies: his employer because of his lack of ethics and the consultancy firm. The CMS and the company are very well known in the Spanish technology scene and it’s not the first time I have read this kind of reports about their CMS. I will not disclose the name but easy for any Spaniard working in IT.
Sounds that they need even more shaming to get their act together.
What's the consultancy firm ? indra ?
This is incredibly unethical behavior that we should not be condoning.

If this were someone employed under me as a security professional they would be fired for negligence.

Same thought. Not only is this unprofessional and unethical, he's also put himself on the hook for both civil and criminal liability. If he used his employer's resources for this, his employer might also end up in trouble.
How legal is what this guy did in Spain?
(comment deleted)
tbh, not too legal anywhere.
He did not disclose the company name (but easy to guess if you work on IT in Spain), so I don’t think he could have legal issues because of the post.

But, the cyber security professionals working in the consultancy firm can gather easily the small pieces of information left behind and sue him if they find out data extraction, for example.

Keep in mind that he claims he extracted sensitive data, but he could be lying just to be in the HN front page. Who knows.

Unethical, risky… and very stupid.

Not legal at all, like in the rest of the European Union. Just publishing this information will make the consultancy send a notification to the Spanish Data Protection Agency, and will cost them money.
So the author has admitted to unauthorized computer access in his blog post. I'm wondering whether or not he will be prosecuted. Would the target he hacked need to press charges?
It's no wonder wallapop sucks so much when they employ someone like you.
Reading this makes me appreciate all the burglars out there helping us figure out how easy it is to break in to our houses and take all of our stuff, especially the ones who don't just take the TV and electronics, but who put out that extra bit of effort to rummage through our collectibles to see if they can steal something that's really hard to replace.
Hi there, I'm the author of the post.

I want to clarify that the post/report has been agreed with the consultancy. Some of you would consider this as bad behavior from my side, and I'm sorry to hear that. What would you do if you ever find something like this? All this has been reported, and it’s being fixed. DISCLOSURE accepted, and that’s why the post/report won’t contain names ever. IMHO bad behavior is having all this information available "open to the Internet.", waiting for someone else to come with really unethical purposes. If you ever find a vulnerability and keep quiet about it, I don’t think that makes you any more ethical.

Regards,

edbrsk

You need to go through some proper infosec courses/certifications. Your approach to writing is unprofessional and unethical and you did NOT clarify what measures you took or under which pretense the affected company/companies agreed to you writing this disclosure statement.

As an aside, your writing style comes off as arrogant and childish. Proper disclosures don't read like Hackers fanfic.

Hi Josh,

I don't see where I'm being arrogant in the post, and actually, you are right, it's not a "professional" report, it's just the summary about how "easy" some data can be stolen, and what people with really bad porpoises could do with a little bit of luck (The "big" problem it's just weak credentials in the end). It's a blog post, not the report itself.

About clarifying the measures and the communication with the company, this is something that it's not related to the idea of the post, and no one else's business.

Someone else's published my post here in HN, and I saw some "overreacted concerns", my idea was just to say: "They know, it's safe, I'll help to fix things, don't worry. Take care of your creds, that's all". Also, thank you for the tip, I'm about to get the OSCP soon, I'll take into account your advice.

Regards,

edbrsk