Ask HN: Real-life, ridiculous security incidents?
I was reading some of the comments in this submission about attackers trying to brute force ssh credentials.
https://news.ycombinator.com/item?id=36169954
In the comments fellow HN'ers were discussing the possibilities of XSS attacks using the password.
This had me thinking, have there actually been such successful attacks in your experience and how regular are they? Think of some kind of ridiculous XSS using <script>...</script> or anything similar.
Are these still successfully happening in 2023?
35 comments
[ 3.0 ms ] story [ 81.7 ms ] threadCasino Gets Hacked Through Its Internet-Connected Fish Tank Thermometer
https://thehackernews.com/2018/04/iot-hacking-thermometer.ht...
Stop ruminating on such ridiculous fantasies and occupy your mind with something productive instead.
I’m a bit sad at the state of things sometimes.
[2] https://github.com/google/security-research/security/advisor...
[3] https://blog.lastpass.com/2023/03/security-incident-update-r...
[4] https://circleci.com/blog/january-4-2023-security-alert/
[5] https://status.heroku.com/incidents/2413 https://www.bleepingcomputer.com/news/security/oktas-source-...
I told the ciso this and she asked how a bad actor would figure this out, I said linkedin. She didn't seem pissed so I laughed and 5 minutes later reset her password and sent an email to her self as proof.
That policy changed quick...
Lately there’s been a number of hacks of smaller websites using methods of exfiltrating the session cookie via XSS or otherwise injecting malicious scripting (imagine if HN let you upload a script as a comment by accident, or would allow a script uploaded as a jpg).
The log4j attack was code injection[1] exploit resulting from interpreting unsanitized data from untrusted parties. In that respect it falls roughly in the same umbrella as SQL injection. There are many tools or libraries that define some kind of little language to allow for scripting or executing some action.
1 https://owasp.org/www-community/attacks/Code_Injection
My former employer had a helpdesk website that was written in Perl 4 in the '90s by some interns. The users' passwords were stored in plaintext in /var/www under a subdirectory. Anyone who guessed the URL could have stolen those passwords and accessed a trove of information and data of some of the biggest financial institutions.
My coworker and I patched it up as much as we could (2018-20), upgraded it from RHEL 4 to 7/8, Perl 5, fixed the public password issue, and flagged it with management but it largely fell onto deaf ears at the time.
I am still amazed at how blatantly incompetant and reckless some companies are.
I have seen videos of people cruising other companies jenkins dashboards. It's is horrifying, people put all kinds of keys into jenkins. Thousands of companies are rooted. Jenkins makes Wordpress look like modern secure software.
on and on, https://www.trendmicro.com/vinfo/pl/security/news/cybercrime...
The site was down for a few months while I assume they fixed and audited the whole product. They never told customers what happened.
What did you tell them you were doing? how did they react?
Super interesting story.
October 2011. I went to the rewards program site for my bank one day. I had a problem logging in and was frustrated. I’m fairly certain that it was telling me my account didn’t exist but I was sure I had previously registered. The error message stuck out. I was coding recreationally at the time, LAMP stack, and I was acutely aware of the dangers of SQL injection in PHP forms. The error message struck me as a database error, not an application error, and that combined with some other odd details on the page (I can’t remember what they were, it just seemed weirdly amateurish) made me wonder just how bad the page really was.
I wrote some basic injection query on the login form, some `GET * FROM… WHERE email=` on a users table. I remember limiting it carefully because I didn’t want to see other people’s data. And it came back with another error that was straight from the database! I think my query was malformed but it did show me something about the table. Then I thought, “there’s no way they’re using an account with write privileges, right?” I inserted a row, or maybe changed a row in another injected query and it was successful. I was freaked out! The most disturbing piece was a credit card number column. I can’t remember if I found my own row and saw my own number or what — for all I know it was hashed — but it worried me.
I wasn’t sure how to handle it. I just a moment ago found the old messages in my social media account and… oof. Looking back, I see why they might have been concerned. I was 27 and trolly. My internet behavior was obnoxious. I was the type who posted whatever “funny” thing popped in their head, random observations, argued with every troll, had an opinion about absolutely everything and wanted everyone to know it. In this case I posted a public message, paraphrasing: “Huge vulnerability on @big_bank site. Think they’d be pissed if I posted screenshot or did a blog post or should we talk direct?” Smooth. I can’t find their reply but I think they told me to DM them info. I see a DM that says “RE: vulnerability on your site, {my phone number} ASAP.” Very reassuring.
36 hours passed. I remember getting off the 7 train in Flushing, Queens after work and my phone rang. It was a VP at the bank. He introduced himself, told me they were very concerned about this, and wanted to know what I was looking for. “What am I looking for? I want you to fix it and tell your customers what happened!” Then he asked me to walk him through the timeline, including what (if any) queries I ran. I told him exactly what happened. It sounded like they had already found it through logs so they knew I had injected some simple data via the form. He told me that they had been in meetings all day talking about how to respond and confirmed that people were listening to the call. It was clear that they didn’t look me up in their system despite my name being on my social media profile and the phone number being associated with the account. We talked for maybe 10 minutes.
One interesting detail that came out was about the origin of the credit card reward site. When I was first poking at the page, I noticed that it had a .php extension. This was odd to me first because none of the other pages in their online presence presented that way. I was also used to seeing URLs rewritten — it looked sloppy. I had a hunch that this was built by an outside company, which would explain lack of compliance with the standards they likely had elsewhere. I asked him about this and he said “I can’t confirm that but I think you’re onto something” — something like that. I later did some more investigating and confirmed it. This bank started as a regional bank and grew. They used a web development group in their home town for this particular product. The same company provided it for other banks! ...
Some hackers got into their machine on a basic hack, and then hung around long enough to poke around and find the Plex vulnerability.
They were able to inject their own code into the vulnerable Plex, and then ran a basic keylogger in the background without their knowing.
At that point, they watched the user type in their LastPass admin credentials, and at that point they had the keys to the kingdom because LastPass didn’t have better auth protection.
Many layers of the onion failed here which added up to a Swiss cheese effect. The hacks were very elementary, and nothing compared to something like Stuxnet or the NSO hacks.
https://www.bleepingcomputer.com/news/security/phishing-camp...
What is a "ridiculous security incident", is it something you think is easy after someone explains to you what happened after it happens in a void without the business logic and workplace dynamics?
Or something silly like XSS in passwords from known hackers?
This is funny especially because of the quote they managed to get, graffiti artists graffitiing anti-graffiti QR codes with pro-graffiti videos -
Melbourne Lord Mayor says 'vandalism' of QR codes for reporting graffiti 'so frustrating' - https://www.abc.net.au/news/2023-01-01/melbourne-lord-mayor-...
The attacker had managed to get an unmonitored physical connection installed directly in their data center and was able to exfiltrate data completely without any limitation other than bandwidth for 6 months without detection.
This story was never reported as far as I know.
[1] I'm not going to name them but if the name came out I don't think anyone would be surprised who it was.
The second one was a bit more severe, and happened just last year. At our company, we're using a service to host private package feeds for some libraries we're selling. Users get their own account, and usually use an API key authentication to get the packages. However, we've discovered that one client, although a paying customer, didn't have proper rights assigned to their account. After contacting them, it turned out they could access everything just fine, and never noticed a problem. They did have their own user account, along with their own API key. However, for the actual authentication, they used _their_ API key with _my_ account name, and that worked. The service was first checking if the API key was a valid one (which it was, for some account without any access rights), and then checked if the user did have access (which it did). But there was no check whether the API key actually belonged to the user account. So, with publicly available information (account names) and a free account to generate API keys, you could essentially access any private packages you wanted. That one was a bit more scary, and took half a year and multiple emails to finally get resolved.
There was quite a bit of back and forth between the team that managed the servers, the owners of the company and M1. After a few weeks M1 was finally given access. Within a couple of days he brought a complaint against another manager (M2) that M2 had hijacked M1's personal email and was storing it on one of the internal servers.
Meetings were held into the night to discuss what should be done. M2 was called in, credentials revoked and they were placed on leave while an investigation could take place. Overnight every single server was compromised and no one could get in to anything.
M2 brought in a lawyer, the company brought in a lawyer and all of management and most of the employees were sat down in a room to figure out what to do about this mess.
Turns out M1 had re-used the same "password", which was a single lowercase english word, on EVERYTHING. His personal email, any account on any service maintained by the company and had changed his secure password on the superuser accounts he had just been given to the same one.
There was a literal paper trail of M1 providing this password to the majority of the people in the company. Provided in printed memos asking to have accounts set up, emails asking to have accounts set up, other people having it on the standard sticky note on monitors, M1 saying "and make the password..." in the common workspace for anyone to overhear, etc etc.
Of course, one of the servers had SSH open for remote access... and you can see where this is going.
Expensive forensics team was brought in, servers recovered, and it was determined that M1's account on the SSH server was targeted by automated logins not too long after he was added to the company's website.
M2 is cleared and brought back, M1 had their role decreased and was gone not soon after.
Approx 15 years ago I was installing POS system to one second hand store. It was just a beginning of online authorizations and there were few issues with reliability of those that time. As testing was hard, I usually tested operations by trying to make 10kEUR transaction with my expired Visa Electron card. If it worked correctly, I got "denied" response back. It was some time in November when the installation happened. I tested transactions and those went through as approved. I canceled the transaction and cancel went through also. After few tests we found out that payment terminal had some weird demo credentials and finally we got that fixed.
Then, shop finally opened on January. Shop owner called me that their bank account has now negative balance. I joked something about the issue that why he calls me about that and I forgot the thong for few days. Then, after few days he called me again and said they have started police investigation about that fraud. On same evening, I was paying my personal bills and noticed that I had about 65kEUR too much money on my account. Sent immediately message to store owner that I probably have his money but I do not know why.
Well, next day I was suspect of fraud. I started to move money back to customer, but it was not possible for some reason on one tx, it was limited to 10kEUR/day. So it took like a week until customer had their money back.
So what happened: Normally payment terminal transactions expired after three months. Meaning that bank would reject if batch includes older. That was not case here, as there was exception that if same transaction has cancel transaction on same batch, then it is accepted. But, on some later process, they rejected all the normal transactions but accepted the cancels.
So there was real bug on some bank system and bank tried to force me to sign NDA that I would not tell about this issue. I did not see any reason to sign that but most probably they fixed that very soon.
didn't expect a site that big to have this kind of weakness going unnoticed for years