Ask HN: Real-life, ridiculous security incidents?

66 points by jdthedisciple ↗ HN
I was reading some of the comments in this submission about attackers trying to brute force ssh credentials.

https://news.ycombinator.com/item?id=36169954

In the comments fellow HN'ers were discussing the possibilities of XSS attacks using the password.

This had me thinking, have there actually been such successful attacks in your experience and how regular are they? Think of some kind of ridiculous XSS using <script>...</script> or anything similar.

Are these still successfully happening in 2023?

35 comments

[ 3.0 ms ] story [ 81.7 ms ] thread
No, they aren't happening. Everybody is sanitizing all of their user inputs in against all possible vectors and when administrators visit such user generated content and their cookies just happen to expire at that moment, they just enter their password into the dialog securely and go about their day. Their password does not grant any sort of elevated privilege to any systems.

Stop ruminating on such ridiculous fantasies and occupy your mind with something productive instead.

(comment deleted)
At first I didn’t realize you were being sarcastic because I have heard CISOs say those things verbatim before.

I’m a bit sad at the state of things sometimes.

The OP just said "ridiculous" so many times that it appeared they wouldn't entertain a serious reply anyhow.
Big fails from small things are common. A few recent examples off the top of my head -

  1. Bing.com had an issue whereby attackers could inject XSS code to all visitors, due to a simple misconfiguration in Azure.
  2. Visual Studio Code had a Remote Code Execution vulnerability triggered by a simple link.
  3. LastPass had all of its secrets and backups taken via a compromised developer's machine.
  4. CircleCI was breached and leaked everyone's OAuth tokens and secrets by malware.
  5. Heroku and Okta were breached due to a compromised token, had their source code taken, and potentially leaked customer secrets.

[1] https://www.wiz.io/blog/azure-active-directory-bing-misconfi...

[2] https://github.com/google/security-research/security/advisor...

[3] https://blog.lastpass.com/2023/03/security-incident-update-r...

[4] https://circleci.com/blog/january-4-2023-security-alert/

[5] https://status.heroku.com/incidents/2413 https://www.bleepingcomputer.com/news/security/oktas-source-...

An employer I worked for would allow you to reset anyone's passwords by calling the help desk, providing their username, and their direct manager.

I told the ciso this and she asked how a bad actor would figure this out, I said linkedin. She didn't seem pissed so I laughed and 5 minutes later reset her password and sent an email to her self as proof.

That policy changed quick...

Thats the same security level that Microsoft had. You could get access to any Skype account by contacting business chat support and providing the username and a few contacts of the account you wanted to take over...
Not like you could go into service now and get all of that info. ¯ \ _ ( ツ ) _ / ¯
Log4j was kinda like that, abusing the logging.

Lately there’s been a number of hacks of smaller websites using methods of exfiltrating the session cookie via XSS or otherwise injecting malicious scripting (imagine if HN let you upload a script as a comment by accident, or would allow a script uploaded as a jpg).

> abusing the logging

The log4j attack was code injection[1] exploit resulting from interpreting unsanitized data from untrusted parties. In that respect it falls roughly in the same umbrella as SQL injection. There are many tools or libraries that define some kind of little language to allow for scripting or executing some action.

1 https://owasp.org/www-community/attacks/Code_Injection

Credit card skimming using XSS vulnerabilities is a pretty common attack, even in 2023. If someone can get a two line script on a checkout page, they can steal everything you type in.
Not necessarily a malicious attack, and pre-covid, but I was able to get into my "secured" office building by just tailgating or waving to the security guard, even though we're supposed to check our badges with them every day.
My story is more of a facepalm since there was no known hack that came of it.

My former employer had a helpdesk website that was written in Perl 4 in the '90s by some interns. The users' passwords were stored in plaintext in /var/www under a subdirectory. Anyone who guessed the URL could have stolen those passwords and accessed a trove of information and data of some of the biggest financial institutions.

My coworker and I patched it up as much as we could (2018-20), upgraded it from RHEL 4 to 7/8, Perl 5, fixed the public password issue, and flagged it with management but it largely fell onto deaf ears at the time.

I am still amazed at how blatantly incompetant and reckless some companies are.

I discovered a SQL injection vulnerability in the credit card rewards site of a major US bank in 2011. A VP finally called me a day later and asked what I wanted — they thought I was a hacker trying to extort them, he told me they had been in meetings all day about it. They didn’t bother looking up my information to see that I had been an account holder for more than ten years.

The site was down for a few months while I assume they fixed and audited the whole product. They never told customers what happened.

I bet you could have gotten far with a reply to the effect of “a job.”
Much of the time this stuff is outsourced to a 3rd party. Even many "big" banks don't really want anything to do with developing their own software.
I'm sure the ONLY capacity they could think to use this guy would have been to actively develop their web software. /s
Whatever you ask for may be (mis-)interpreted as extortion. There's very thin ice in that direction.
Oh you cant stop there.

What did you tell them you were doing? how did they react?

Super interesting story.

Alright, this is more than you’re asking for but here’s the full story as I remember it. It was a long time ago so some of it is fuzzy. I don’t think I ever shared this story publicly before.

October 2011. I went to the rewards program site for my bank one day. I had a problem logging in and was frustrated. I’m fairly certain that it was telling me my account didn’t exist but I was sure I had previously registered. The error message stuck out. I was coding recreationally at the time, LAMP stack, and I was acutely aware of the dangers of SQL injection in PHP forms. The error message struck me as a database error, not an application error, and that combined with some other odd details on the page (I can’t remember what they were, it just seemed weirdly amateurish) made me wonder just how bad the page really was.

I wrote some basic injection query on the login form, some `GET * FROM… WHERE email=` on a users table. I remember limiting it carefully because I didn’t want to see other people’s data. And it came back with another error that was straight from the database! I think my query was malformed but it did show me something about the table. Then I thought, “there’s no way they’re using an account with write privileges, right?” I inserted a row, or maybe changed a row in another injected query and it was successful. I was freaked out! The most disturbing piece was a credit card number column. I can’t remember if I found my own row and saw my own number or what — for all I know it was hashed — but it worried me.

I wasn’t sure how to handle it. I just a moment ago found the old messages in my social media account and… oof. Looking back, I see why they might have been concerned. I was 27 and trolly. My internet behavior was obnoxious. I was the type who posted whatever “funny” thing popped in their head, random observations, argued with every troll, had an opinion about absolutely everything and wanted everyone to know it. In this case I posted a public message, paraphrasing: “Huge vulnerability on @big_bank site. Think they’d be pissed if I posted screenshot or did a blog post or should we talk direct?” Smooth. I can’t find their reply but I think they told me to DM them info. I see a DM that says “RE: vulnerability on your site, {my phone number} ASAP.” Very reassuring.

36 hours passed. I remember getting off the 7 train in Flushing, Queens after work and my phone rang. It was a VP at the bank. He introduced himself, told me they were very concerned about this, and wanted to know what I was looking for. “What am I looking for? I want you to fix it and tell your customers what happened!” Then he asked me to walk him through the timeline, including what (if any) queries I ran. I told him exactly what happened. It sounded like they had already found it through logs so they knew I had injected some simple data via the form. He told me that they had been in meetings all day talking about how to respond and confirmed that people were listening to the call. It was clear that they didn’t look me up in their system despite my name being on my social media profile and the phone number being associated with the account. We talked for maybe 10 minutes.

One interesting detail that came out was about the origin of the credit card reward site. When I was first poking at the page, I noticed that it had a .php extension. This was odd to me first because none of the other pages in their online presence presented that way. I was also used to seeing URLs rewritten — it looked sloppy. I had a hunch that this was built by an outside company, which would explain lack of compliance with the standards they likely had elsewhere. I asked him about this and he said “I can’t confirm that but I think you’re onto something” — something like that. I later did some more investigating and confirmed it. This bank started as a regional bank and grew. They used a web development group in their home town for this particular product. The same company provided it for other banks! ...

Great story! Thanks for sharing. I always wondered how a company might respond to such a big security flaw being shared with them out of the blue.
(comment deleted)
A few years back, a game (Racecraft from Sandbox Games) had client log files point to an admin control panel behind a login page... whose login form had valid credentials inserted into it as default values.
Back in 2014, I was trying to scrape a flash-based webpage for my employer and discovered a random XML file being downloaded by the webpage. Inside it was a commented-out admin username and password. My employer instructed me to try the credentials and they worked... I can't say what the webpage was or whose data was compromised, but for sure there were a lot of fortune x00 and other institutions you've heard of inside there.
LastPass got taken down because they allowed a developer to work remote from their home on their own personal PC. That PC had an unpatched vulnerability within the version of Plex that the user was running.

Some hackers got into their machine on a basic hack, and then hung around long enough to poke around and find the Plex vulnerability.

They were able to inject their own code into the vulnerable Plex, and then ran a basic keylogger in the background without their knowing.

At that point, they watched the user type in their LastPass admin credentials, and at that point they had the keys to the kingdom because LastPass didn’t have better auth protection.

Many layers of the onion failed here which added up to a Swiss cheese effect. The hacks were very elementary, and nothing compared to something like Stuxnet or the NSO hacks.

UPS had this XSS in mid 2021 -

https://www.bleepingcomputer.com/news/security/phishing-camp...

What is a "ridiculous security incident", is it something you think is easy after someone explains to you what happened after it happens in a void without the business logic and workplace dynamics?

Or something silly like XSS in passwords from known hackers?

This is funny especially because of the quote they managed to get, graffiti artists graffitiing anti-graffiti QR codes with pro-graffiti videos -

Melbourne Lord Mayor says 'vandalism' of QR codes for reporting graffiti 'so frustrating' - https://www.abc.net.au/news/2023-01-01/melbourne-lord-mayor-...

The most terrifying one I've ever heard of was a major global bank[1] who received a call from a national telco about a bill for a leased line to one of their data centers that had been unpaid for 6 months. They had no records of this line.

The attacker had managed to get an unmonitored physical connection installed directly in their data center and was able to exfiltrate data completely without any limitation other than bandwidth for 6 months without detection.

This story was never reported as far as I know.

[1] I'm not going to name them but if the name came out I don't think anyone would be surprised who it was.

I've got two. The first one is a bit older, from around 2015. It was a small platform that did have a Java Web Start app for some features. It downloaded an app, where you were automatically logged in. However, when downloading it, I noticed that there was no secret or anything transferred, just your username. Turns out, the downloaded application contained a database connection string with full owner rights. As far as I know, that was never fixed.

The second one was a bit more severe, and happened just last year. At our company, we're using a service to host private package feeds for some libraries we're selling. Users get their own account, and usually use an API key authentication to get the packages. However, we've discovered that one client, although a paying customer, didn't have proper rights assigned to their account. After contacting them, it turned out they could access everything just fine, and never noticed a problem. They did have their own user account, along with their own API key. However, for the actual authentication, they used _their_ API key with _my_ account name, and that worked. The service was first checking if the API key was a valid one (which it was, for some account without any access rights), and then checked if the user did have access (which it did). But there was no check whether the API key actually belonged to the user account. So, with publicly available information (account names) and a free account to generate API keys, you could essentially access any private packages you wanted. That one was a bit more scary, and took half a year and multiple emails to finally get resolved.

Many, many years ago I was at a company where a manager (M1) wanted full root access to all of the internal servers (mostly file/web servers, router/firewall and the mail server). It's lost to the sands of time as to why, but he was persistent.

There was quite a bit of back and forth between the team that managed the servers, the owners of the company and M1. After a few weeks M1 was finally given access. Within a couple of days he brought a complaint against another manager (M2) that M2 had hijacked M1's personal email and was storing it on one of the internal servers.

Meetings were held into the night to discuss what should be done. M2 was called in, credentials revoked and they were placed on leave while an investigation could take place. Overnight every single server was compromised and no one could get in to anything.

M2 brought in a lawyer, the company brought in a lawyer and all of management and most of the employees were sat down in a room to figure out what to do about this mess.

Turns out M1 had re-used the same "password", which was a single lowercase english word, on EVERYTHING. His personal email, any account on any service maintained by the company and had changed his secure password on the superuser accounts he had just been given to the same one.

There was a literal paper trail of M1 providing this password to the majority of the people in the company. Provided in printed memos asking to have accounts set up, emails asking to have accounts set up, other people having it on the standard sticky note on monitors, M1 saying "and make the password..." in the common workspace for anyone to overhear, etc etc.

Of course, one of the servers had SSH open for remote access... and you can see where this is going.

Expensive forensics team was brought in, servers recovered, and it was determined that M1's account on the SSH server was targeted by automated logins not too long after he was added to the company's website.

M2 is cleared and brought back, M1 had their role decreased and was gone not soon after.

As someone shared their findings with some bank related case, I'd like to share mine:

Approx 15 years ago I was installing POS system to one second hand store. It was just a beginning of online authorizations and there were few issues with reliability of those that time. As testing was hard, I usually tested operations by trying to make 10kEUR transaction with my expired Visa Electron card. If it worked correctly, I got "denied" response back. It was some time in November when the installation happened. I tested transactions and those went through as approved. I canceled the transaction and cancel went through also. After few tests we found out that payment terminal had some weird demo credentials and finally we got that fixed.

Then, shop finally opened on January. Shop owner called me that their bank account has now negative balance. I joked something about the issue that why he calls me about that and I forgot the thong for few days. Then, after few days he called me again and said they have started police investigation about that fraud. On same evening, I was paying my personal bills and noticed that I had about 65kEUR too much money on my account. Sent immediately message to store owner that I probably have his money but I do not know why.

Well, next day I was suspect of fraud. I started to move money back to customer, but it was not possible for some reason on one tx, it was limited to 10kEUR/day. So it took like a week until customer had their money back.

So what happened: Normally payment terminal transactions expired after three months. Meaning that bank would reject if batch includes older. That was not case here, as there was exception that if same transaction has cancel transaction on same batch, then it is accepted. But, on some later process, they rejected all the normal transactions but accepted the cancels.

So there was real bug on some bank system and bank tried to force me to sign NDA that I would not tell about this issue. I did not see any reason to sign that but most probably they fixed that very soon.

I worked for an internet security company that shall remain nameless. We had a virus outbreak because the company president opened an email attachment.
found an XSS on Metacritic.com a few months ago in their search results URL

didn't expect a site that big to have this kind of weakness going unnoticed for years