The story of a little hack, or an adequate bugbound from a local internet provider

Introduction

Good day, friends. This small hacking story happened to me in the middle of August of this 18th year. The story began in a small town in the Krasnodar Territory, with a tyrnet bad, there is 4g but this is all wrong, here in the country one could only dream of wires. And just recently this miracle happened, wires were sent to my area, and I immediately ran to connect 100 Mbps over fiber, 8k for connecting with the tariff.

Curiosity

Joy full pants, tyrnet good, small local provider, lk he corresponds to the status of a local provider, out of curiosity, I rummaged around on lx, looked at what subdomains there were, and I found a subdomain admin.domain_provider.com / who immediately threw on the login form login. php, F12, opened looked up there, looked at js, there were interesting links in ajax requests "/? user_id =" + id, just copying the link and typing a random number, I threw out the user data in the table:

Passport number / number
Issued by
date of issue
Full name
address of residence
phone number
Login (from tyrnet)

“Oh, I can't be,” I stuck the library into head jq, spent 5 minutes writing ajax request in a loop and spitting it out into the body of the page, outputting 21,000 entries.
')
Quickly ctrl + f, drove his name, and yes I was there. My surprise, i.e. freely available hung user data. I looked at the rest of the links in the ajax requests, there was a lot of everything, for some control of switches, for some reloads of something, because it was hard to understand what was responsible for what, it was not so interesting to me.

It was already late, I thought, “thats developed doodles screwed up,” and went to bed.

On the trail. The day I began to think, it’s not like all the jokes, and I can be held criminally responsible for this, but in our country they put up reposts. Worth noting I didn’t plan to do anything like that, otherwise I would have secured myself with vpn / proxy. On the other hand, if they leave such holes, they are unlikely to look at the logs. And on the third hand, it is better if I tell them what they will find my tracks, and then they will not talk to me for sure.

Point played

I google on Habré the name of the organization, I find the organization, with a few turnips, there is nothing interesting in them, I’m looking at who is in this organization, I google again, I find the developers in VK. I am writing: “Hello, and why are 21,000 users recording with all their data publicly available?”. He writes that he informed the head. Ok, I think I did my job.

Payback for curiosity

I woke up at about 10 o'clock in the morning, I had to work, I was front-facing. Knocking at the gate, looking out the window, looking at the little red machine, 3 people, I recognize one of the developers from the pictures, I think everything, and I saved everything, just like the html page on the desktop, quickly shift + del> confirm , take I take a cigarette, take a snout, go, I think, now it will be fun, I smoke, I go out.

- Hello
- Hello
- I understand you understand where we come from
- Yes, I already understood - I drag the smoke
- I want to prudpredit (shows the phone) conversation, I record
- Good
- You yesterday downloaded our database
- No, I did not download, I found a vulnerability, and informed you.
- Our IT specialists have data that you downloaded this database.
- It's impossible, you can only see that I looked at her.
- We are determined to solve it quietly, peacefully, our IT people can make sure that you have not saved it?
- In principle, yes, do you go to pick up a sistemnik or do I have everything to check in my house?
IT specialist says:
- It is better if we take a sistemnik and check in the office
- Good

Here you can argue with my decision, on the one hand, you are who I am, I did not download anything, go do not interfere, I will not give my system officer, and that in general you are proving to me, on the other hand it is dangerous, I would rather talk to them, than with the police. They can be understood, they crap from sesyurity, they have the right to be convinced. I decided it was better to talk to them.

We go home with them, cut down a sistemnik, pull jeans, sneakers, go to the office, get out of the car, go all together to the director. Different questions, why did you do it, why, how did you do it, I told them that their base hung in the public domain, and anyone could do it. We talked, we went to check the sistemnik, these experts checked the bugs, looked at the basket, downloaded the prog searched for keywords, did I offer them another phone to check? I could save on the phone, on a flash drive, and the clouds? I could save in Google Drive. In general, they looked for a tick, I watched and hoped that they would not guess to download some kind of data recovery prog, and see what was removed. (a question in comments, and c ssd data is also easily restored as well as from hard?)

Epilogue

I sat for 2 hours watching their attempts. I took the system specialist, went with the lawyer to the director, suggested that I sign an agreement on which I was allegedly hired retroactively, to search for vulnerabilities in their system, they say but we will not pay you (I read the agreement before signing (but ask for a copy guessed)), we will give you a year of free internet as payment, ok. They took me home.

As my colleague later noted, it’s good that a year of free Internet and not a year is conditional. 1500 is worth a month of unlimited, multiply by 12, so much I had in my account in lx, when I returned home and checked. I lean back on the chair, exhale.