There were 4 successful attacks so far on Lamer. And one more task accomplished, I'll write about that later. I think it's enough to create a point of view about the reaction of the other's, in different positions.
The first part of the audience I would like to mention are the users of Lamer. They fell in my XSS trap, without even thinking. The link wasn't looking normal (it started with javascript: not with http://), but even if they hadn't had programing knowledge, they shouldn't had been so trustful. I mean, it was a YouTUBE video, why not use a direct link? The attack was browser-dependent, I think IE 6 couldn't handle is. There were users, who were still using that old-fashioned, really bad browser, and they went pretty far, by mentioning after my post, that the link is not working. And other's replayed that "Yes, it does". So they double checked it, and even after that no one had the smallest doubt. Those guys were trusting me too well, just because I was around for years. What's the moral? Do not trust anyone on the Internet.
Now let's talk about the administrator of Lamer. The site was hacked (before me) for a few times. There's just two types of attacks I know about: once the image-upload was hacked, by uploading a script, and the voting system was hacked several times. But I gained access to the whole database, several user forum-posts, user accounts and some user passwords too. That is, I think I accomplished more than everyone before. I mean, I'm not prising myself, it's just not an IT community. I'm saying that I'm starting to be a threat to Lamer. If it worked for 4 time, it may happen again. My relationship with the administrator, well I'm admiring him, not everyone writes a website, with several thousand line of code by himself, they use Joomla, Templates or premade scripts (just like this blog).
Briefly we came along well. After the first attack he thanked me, after the second attack he thanked me and he gave me access to a test user on Lamer, and to a test copy of Lamer at his local machine. We were discussing on how should he pay me. Not with money tho, with a service. He told me that he'll mention my name on the Impression section on Lamer. My reaction was telling him, not to do it. Sites got hacked every day, I don't want to be suspected in that community anything happens, not even if I'm the delinquent. Instead I asked for the source code of the site. Not the JavaScript and HTML you can download, but the PHP you can't (in a legal and easy way, with my knowledge I'll just say I can't). He told me, that he'll do it right away after installing a FTP server (was a few days ago, still nothing, but oh well, good things don't come fast). It's a profit for both of us. I get reference material for future PHP project's (good for me), meanwhile I'll debug it (good for him).
Let's stick to the topic. Peoples reactions. I have a good friend, a girl, with pretty low knowledge of computers (I don't think she's not smart, yes she is, but it's not her side). It's true that it's against rule 3, but well, I told her. Her reaction: she panicked. She never could imagine that somebody can access her account just because she clicked a random link. There are cases when normal links, to trusted sites are malicious too. For example that description I gave before on Elite Hacker's forum, hacking the LA-PD's website. It's not good for session hijack but good enough to downloading a key-logger.
No comments:
Post a Comment