Why in Ukraine there are no white hackers or the history of hacking Kyivstar
Here's how after the recent act of Kyivstar, you can talk about this glorious telecom operator and Internet provider, that he appreciates and respects the work of specialists?
One hacker hacked the site for Kyivstar subscribers and did not steal a million from the accounts of network subscribers, but told management that he found where the programmers faked and made an error in the program code, due to which anyone can add other people's mobile numbers to his personal account and use them as your own: receive call detail, change the tariff plan, transfer money and much more.
')
One of the steps in the procedure of linking the phone to the personal account did not correctly transfer the parameters of successful completion of the stage, as a result of which it was possible to skip the step with SMS confirmation.
What do you think, what is the amount on the balance of the average Kyivstar subscriber? 5-10 UAH? And thousands of subscribers have it up to 10 000 UAH. Not to mention the elementary secrecy of correspondence and SMS with Internet banking login codes.
This is a critical vulnerability, taking advantage of which, a hacker-attacker could get not a little money, and Kyivstar could lose both money and reputation.
But fortunately, the information did not fall into bad hands, the hacker turned out to be extremely ethical and acted as a researcher, immediately informing the organization about the vulnerability, although it was difficult for him to entrust such sensitive information even to an operator working in the company itself.
And you know, Kyivstar, quickly patched a hole in its security, rated this vulnerability at 3 free months of using the Internet, awarding just such an award to a researcher.
I understand that nobody expected to pay money for anything and this was not included in the budget, but this may play a cruel joke with the company in the future, because some IT specialists have already expressed their doubts about the fairness of the remuneration.
And in truth, another researcher will think three times, and whether it would be more profitable, not even to take advantage of vulnerability - it would be illegal, but to sell this information to other companies for decent money, those who understand this and understand the price.
And this case only sometimes explains the presence of a large number of hacker attackers, which Ukraine is famous for, where conditions are not created when it is beneficial for a hacker to switch to the white side, becoming a researcher, and companies are still struggling and suffering, and not respecting and encouraging.
Author in G + .
UPD: Manager's response to Kyivstar (source unverified)
It seems to me right now to invite Kyivstar to participate as a sponsor at the hacker conference of HackIT Ukraine, in order to show that they are serious about vulnerabilities.
One hacker hacked the site for Kyivstar subscribers and did not steal a million from the accounts of network subscribers, but told management that he found where the programmers faked and made an error in the program code, due to which anyone can add other people's mobile numbers to his personal account and use them as your own: receive call detail, change the tariff plan, transfer money and much more.
')
Technical details
One of the steps in the procedure of linking the phone to the personal account did not correctly transfer the parameters of successful completion of the stage, as a result of which it was possible to skip the step with SMS confirmation.
What do you think, what is the amount on the balance of the average Kyivstar subscriber? 5-10 UAH? And thousands of subscribers have it up to 10 000 UAH. Not to mention the elementary secrecy of correspondence and SMS with Internet banking login codes.
This is a critical vulnerability, taking advantage of which, a hacker-attacker could get not a little money, and Kyivstar could lose both money and reputation.
But fortunately, the information did not fall into bad hands, the hacker turned out to be extremely ethical and acted as a researcher, immediately informing the organization about the vulnerability, although it was difficult for him to entrust such sensitive information even to an operator working in the company itself.
And you know, Kyivstar, quickly patched a hole in its security, rated this vulnerability at 3 free months of using the Internet, awarding just such an award to a researcher.
I understand that nobody expected to pay money for anything and this was not included in the budget, but this may play a cruel joke with the company in the future, because some IT specialists have already expressed their doubts about the fairness of the remuneration.
And in truth, another researcher will think three times, and whether it would be more profitable, not even to take advantage of vulnerability - it would be illegal, but to sell this information to other companies for decent money, those who understand this and understand the price.
And this case only sometimes explains the presence of a large number of hacker attackers, which Ukraine is famous for, where conditions are not created when it is beneficial for a hacker to switch to the white side, becoming a researcher, and companies are still struggling and suffering, and not respecting and encouraging.
Author in G + .
UPD: Manager's response to Kyivstar (source unverified)
Good day. I work as a digital manager at Kyivstar and, as an insider, should comment on the fact that information security at the CS is taken more than seriously, so this case is probably one of the few in the company's history. It is also important to note that the vulnerability was discovered in the beta version of the new system, to which only a part of the clients were invited.
Now to the point - on the day of the discovery of vulnerability, it became clear that such cases deserve a separate approach and it was decided to launch a bug bounty program in Kyivstar with an adequate individual reward for the vulnerabilities found. As you understand, launching such a business in a corporation takes more than a couple of days, but I hope that in a couple of weeks we will win and publish the conditions officially. I will write about the results here and in Habré.
It seems to me right now to invite Kyivstar to participate as a sponsor at the hacker conference of HackIT Ukraine, in order to show that they are serious about vulnerabilities.
Source: https://habr.com/ru/post/357150/
All Articles