History of hacking one MLM company
All of you probably stumbled upon the "successful people" from the Internet. These people broadcast their vision of life. Expose their wealth. They publish books about how to get out of the comfort zone, while writing these books from their mansion in some sort of sunny California. Do you know this?
I really just got it. I cleaned all the social network feeds from such individuals. Personalities that broadcast about coaching, motivation and easy life. And you know what? It became very cool to stay up to date without this rubbish! You go to social networks, and there are only cats and parrots.
But the story is not about that. On one of the days I got burned and I thought - what if we take and look at the real incomes of these people who are so annoying?
')
So I thought and did. More precisely at first did. But then he thought and stopped on time so as not to break the wood. Remember and honor 272 of the Criminal Code !
This story is about one network company, which in our time is just the sea (prana, herbalife, oriflame, nl international, etc.)
The name of the company is deliberately hidden, and the individuals are blocked because they did not want to publicize the incident. Basically correct. Who knows what else I missed ... Well, as a reader, in this example, you can understand what you should not do and what mistakes you should not make.
So let's go. We have a goal - a company and information about people who live happily and gloriously.
We begin, of course, with social networks. You can not imagine how many interesting things can be found in social networks.
We find out that we can extract all the important info through one important site. This site is constantly featured in Instagram stories of those who show their income. In order for us to catch the "victim", we must become this "victim".
To do this, we register our account on which we will conduct experiments. Successfully and anonymously, this was done by finding a referral link for registration.
After registration, we receive an e-mail with information about the login to the system and password. Yes, yes - PASSWORD was also in the email.
Having received this letter, I immediately remembered the situation with RU-Center passwords .
Okay. It is, of course, bad that passwords are so easily spread. But for us it will not help. Unless we break into the victim's email box.
We go further. Got a couple login / password. We go to log in. And here we understand that this password does not require a forced change as a one-time one. Moreover, the menu to change the password does not imply the installation of a “unique” password. And I ask you to note the password from the numbers, and a clearly fixed number. This combination is easily selected through a brute force attack.
Okay. We try to check the login form for brute force with handles. And here it turns out that not everything is so simple. The account is completely blocked and you cannot log in even with the correct password after several unsuccessful attempts. Recording is blocked for several minutes. And this already creates a situation of impossibility to carry out a brute force attack.
And here I remember the most beloved in my work. About mobile applications. Recently, I've seen so many of them. And so much frank game found. And hard-coded passwords, and the lack of distinctions and privileges between users. Well, I was lucky karoch and I found a couple of applications of this company. In one of the applications, you could use the same login and password pair.
Of course, the application functionality did not open up unlimited possibilities for us. But the endpoint of the login was already used completely different. Not the one that clearly blocked the account when browsing.
Then I decided to check what will happen if I conduct a brute force attack on my account through the endpoint of this application. How fast can I find the password? How many threads can I do without server failure? How fast will attentive system administrators ban me?
The results, of course, turned out to be interesting!
Password selection worked at a crazy speed of several threads (dozens of options per second). And the server almost did not return me 500 error from the increased load. And I was not banned. The attack was carried out within a few hours. And I successfully picked up the password. Actually it was the same password that fell into my email box. In the system itself, I opened a huge functional possibilities. And after all this, I just started to assess the risks for the company in order to present them a security report. The more I deepened, the more I understood the seriousness of the consequences of the success of my attack.
And so what could be done? ..
I already feel your question - What do you make a horror? How do you know the login of other users?
And here you are my answer - social networks! Everything is in the public domain. And the login format is also quite trivial.
The most difficult thing was to find a person to whom it would be possible to send information about all this with the aim of eliminating it.
Found the most important thing in this office. It seems like he was considered a leader. But he reluctantly talked. I dropped the email address to which I can send technical details. And never read my latest posts. I did not reply to my e-mail either.
That was so do not care was - I did not expect.
Through social networks, friends, friends, and some other friends, I discovered a person who once was the developer of this company. He has already suggested to me another person who is responsible for the company's IT infrastructure.
By the way, when I got to this person - 2-3 days passed. The man responded adequately. We had a very cool talk about all the problems. He did not deny any of the points I described.
It was also remarkable that due to the anomalous traffic that I intentionally created — he closed the existing loophole a few days ago. And that's cool. It would not be cool if he didn’t notice anything at all.
The problem is closed. Everyone is happy. I got an interesting experience. The company received a valuable security report and life lesson.
And then you have a question about the reward? I will answer with a quote of the greats - "There is no money, but you hold on." In fact, the system administrator offered me to transfer some money to my test account (5 tr, if memory serves me).
But in fact, I could not withdraw these virtual tools. On his proposal, I just kindly asked to transfer this “reward” to a friend who “works” in this company. He, in turn, was able to spend money on the sweet products of the company. Well, then, at my request, sweets went to the orphanage.
Findings:
That's all I wanted to say. Comments and suggestions are welcome. I am also open to suggestions for testing something interesting.
I really just got it. I cleaned all the social network feeds from such individuals. Personalities that broadcast about coaching, motivation and easy life. And you know what? It became very cool to stay up to date without this rubbish! You go to social networks, and there are only cats and parrots.
But the story is not about that. On one of the days I got burned and I thought - what if we take and look at the real incomes of these people who are so annoying?
')
So I thought and did. More precisely at first did. But then he thought and stopped on time so as not to break the wood. Remember and honor 272 of the Criminal Code !
This story is about one network company, which in our time is just the sea (prana, herbalife, oriflame, nl international, etc.)
The name of the company is deliberately hidden, and the individuals are blocked because they did not want to publicize the incident. Basically correct. Who knows what else I missed ... Well, as a reader, in this example, you can understand what you should not do and what mistakes you should not make.
So let's go. We have a goal - a company and information about people who live happily and gloriously.
We begin, of course, with social networks. You can not imagine how many interesting things can be found in social networks.
We find out that we can extract all the important info through one important site. This site is constantly featured in Instagram stories of those who show their income. In order for us to catch the "victim", we must become this "victim".
To do this, we register our account on which we will conduct experiments. Successfully and anonymously, this was done by finding a referral link for registration.
After registration, we receive an e-mail with information about the login to the system and password. Yes, yes - PASSWORD was also in the email.
Having received this letter, I immediately remembered the situation with RU-Center passwords .
Okay. It is, of course, bad that passwords are so easily spread. But for us it will not help. Unless we break into the victim's email box.
We go further. Got a couple login / password. We go to log in. And here we understand that this password does not require a forced change as a one-time one. Moreover, the menu to change the password does not imply the installation of a “unique” password. And I ask you to note the password from the numbers, and a clearly fixed number. This combination is easily selected through a brute force attack.
Okay. We try to check the login form for brute force with handles. And here it turns out that not everything is so simple. The account is completely blocked and you cannot log in even with the correct password after several unsuccessful attempts. Recording is blocked for several minutes. And this already creates a situation of impossibility to carry out a brute force attack.
And here I remember the most beloved in my work. About mobile applications. Recently, I've seen so many of them. And so much frank game found. And hard-coded passwords, and the lack of distinctions and privileges between users. Well, I was lucky karoch and I found a couple of applications of this company. In one of the applications, you could use the same login and password pair.
Of course, the application functionality did not open up unlimited possibilities for us. But the endpoint of the login was already used completely different. Not the one that clearly blocked the account when browsing.
Then I decided to check what will happen if I conduct a brute force attack on my account through the endpoint of this application. How fast can I find the password? How many threads can I do without server failure? How fast will attentive system administrators ban me?
The results, of course, turned out to be interesting!
Password selection worked at a crazy speed of several threads (dozens of options per second). And the server almost did not return me 500 error from the increased load. And I was not banned. The attack was carried out within a few hours. And I successfully picked up the password. Actually it was the same password that fell into my email box. In the system itself, I opened a huge functional possibilities. And after all this, I just started to assess the risks for the company in order to present them a security report. The more I deepened, the more I understood the seriousness of the consequences of the success of my attack.
And so what could be done? ..
- Collect personal data of users of the system (name, phone number, passport data, address).
- Collect all the financial activity of user data.
- Collect sensitive information about users from personal correspondence within the system (personal messages).
- Transfer funds between users. With the subsequent withdrawal of funds. And it could be done in a very fun format. If from one hacked account you can understand the amount of damage, find and roll back transactions, then after several hacked accounts it would be almost impossible to do this. Essentially a kind of money mixer. As a result - the financial losses of the company. And believe me, the money was there ...
- Reputational damage due to the disclosure of financial activity of users.
I already feel your question - What do you make a horror? How do you know the login of other users?
And here you are my answer - social networks! Everything is in the public domain. And the login format is also quite trivial.
The most difficult thing was to find a person to whom it would be possible to send information about all this with the aim of eliminating it.
Found the most important thing in this office. It seems like he was considered a leader. But he reluctantly talked. I dropped the email address to which I can send technical details. And never read my latest posts. I did not reply to my e-mail either.
That was so do not care was - I did not expect.
Through social networks, friends, friends, and some other friends, I discovered a person who once was the developer of this company. He has already suggested to me another person who is responsible for the company's IT infrastructure.
By the way, when I got to this person - 2-3 days passed. The man responded adequately. We had a very cool talk about all the problems. He did not deny any of the points I described.
It was also remarkable that due to the anomalous traffic that I intentionally created — he closed the existing loophole a few days ago. And that's cool. It would not be cool if he didn’t notice anything at all.
The problem is closed. Everyone is happy. I got an interesting experience. The company received a valuable security report and life lesson.
And then you have a question about the reward? I will answer with a quote of the greats - "There is no money, but you hold on." In fact, the system administrator offered me to transfer some money to my test account (5 tr, if memory serves me).
But in fact, I could not withdraw these virtual tools. On his proposal, I just kindly asked to transfer this “reward” to a friend who “works” in this company. He, in turn, was able to spend money on the sweet products of the company. Well, then, at my request, sweets went to the orphanage.
Findings:
- Do not climb too deep when you find something "interesting."
- Never forget about the 272, and about the risk of getting into contact with a not very adequate person, who may not be happy with your message about "hacking". In a specific example, my interlocutor got funny.
- As a developer, never implement authorization / authentication functionality through different endpoint APIs. There must be a community in your system. There should be no workaround solutions for one or another functional. Everything should work through a single endpoint with a single protection. Otherwise, you will get tired of looking for a place where burglars came to you.
- Do not use simple passwords for users that you yourself generate. A good password must be set by the user himself.
- Always encrypt passwords, solder them, and do not store them in plain text.
- Do not transfer passwords from the system in an email at registration. If the user loses control of the email box, he loses control of your system.
- Do not use the login generator in your system. Logins to the system must also be unique.
- When implementing the authorization functionality, always set the brute-protection functionality.
That's all I wanted to say. Comments and suggestions are welcome. I am also open to suggestions for testing something interesting.
Source: https://habr.com/ru/post/348732/
All Articles