The Hacking of http://db.singles.org
I was hesitant to write about this b/c I've been threatened pretty seriously about my role in it. But it's important for people to understand a few things about the state of security today. What occurred was so pathetic, the result of such rampant incompetence that it's in a word, Criminal.
Singles.org is a dating site ostensibly for Christians. They boast over 30,000 members and while I have strong reason to doubt that claim (explained shortly), they do have a lot of members.
Earlier this afternoon I was surfing and saw a thread about a security flaw that was found. B/c it appears to be closed now, it's ok to talk about. This site used querystring parameters to identify a user and the mode the page displayed in. So someone noticed that you could put it in edit mode without having to be authenticated. There were 6 digit account numbers so you could just randomly switch them and get into someone else's account and update it. Querystring injection is something I would never dreamed to have still be possible in 2009, but low and behold, it is.
I went to the link and saw serious defacing already. I put in a few numbers of my own and each page had been hacked. What's worse though is that each page had the Person's password in plaintext and their email. You know where this is going.
So people started modifying profiles which was I have to admit, a little funny. But things got ugly fast. People realized that they could try the email account listed and password in case the folks used the same passwords and well, the results were predictable.
I sent out some warnings to these people but realized there was no way I was going to make much of a difference.
About this time people started going through Friend lists and emails and sending out mass emails that were crazy, pretending to be the given person. The stuff would come off as totally real and in most cases, pretty offensive.
I wrote a program to go through and harvest the emails as quickly as possible and was going to shoot out a mass email. Not trying to ruin anyone's fun but this was getting serious. Like a dummy, I used my own email account to do it (I'll explain WHY I did something this stupid shortly).
As my program was running, the threats started coming in. People were raiding the user's accounts and as they did, they were reading my warnings. The "I'm going to make your White Knight Life F*cking hell you ***" emails started coming in. Agent Roubal if you're reading this, I'll reiterate, I WAS BEING ATTACKED FOR BEING A WHITE KNIGHT IN THIS. There are some really stupid people at ICE so I need to make sure there's no confusion here about what I did.
My program was slow and i had to run through the results with a regex afterward to get all the email addresses and I got more threats. Crap!
As I was reading this stuff, I was watching the progress. Folks realized that many people use one address for Facebook and likely use the same password. And they were right. So they were no raiding Facebook accounts doing the same stuff.
The natural progression was to try Paypal. And yep, same results. I'm thinking "Great, I just spidered the whole freaking site in the middle of this, guess I'll be talking to a special computer crime investigator AGAIN for the zillionth time in my life."
Additionally, while people were sending out fake emails and raiding Paypal accounts, many were suggesting these people stop. Not out of altruism but b/c it'll let the cat out of the bag. They advocated holding on to this stuff, covertly changing Challenge questions and using it some day in the future for 'real' stuff.
The saddest part of all of this was probably that the email for Singles.org bounced. email@example.com apparently isn't operational (so much for their claims about Frank the support guy http://www.singles.org/html/customer_support.htm and their live support). Well, no that's not the saddest The saddest is that in 2009, such an exploit can exist.
Seriously, once I saw this, it took me exactly 7 minutes to write a program that could walk the whole site and harvest the emails. 7 Minutes. It's not the most elegant code but it worked. So let's say I found this exploit on my own. I could have written the program, and extracted Password and Email account pairs. That would take about 10 minutes to write a program to attempt a login for each one and report back which ones were matches and which weren't. From there, a lot of really evil stuff could have been done. I'm not a network developer and am pretty weak there. Imagine what someone with real skillz could have done?
Lesson to be learned.. don't use the same password for multiple accounts. Get PasswordSafe for God's sake and be done with such problems. Additionally, use throw away email accounts for stuff like, dating sites and well, everything else too - it's not just no talent dating sites that have flaws that get exploited. Use strong passwords - personally, I stopped using passwords under 15 characters a while ago. Additionally, think really hard about co-mingling work and personal emails. One of the people had some seriously bad stuff done to them ('they' wrote their boss and coworkers an 'email' that would certainly result in termination if they can't prove it's done by someone else).
This will be interesting...
UPDATE: (02.23.09) - A commenter pointed out that the problem wasn't 'fixed' at all and his/her point is absolutely valid. db.singles.org did in fact 'fix' the bug but what that did was simply stop some of the bleeding. I know if I could write a program that quickly to get all that info, it's almost certain someone with different motives did the same. Anyone who's email/facebook/paypal was already comprimised isn't helped one bit by having the hole closed b/c the damage is already done. I was contacted by one of the people who I sent a warning email to and as of last night at 11:16 PM EDT, db.singles.org did not send out any notification that the breach happened nor did they warn people about what other problems could have happened to them personally as a result of the breach (according to the member I spoke with). This is shameful. I can understand why a company might not want to tell their entire customer base something like this happened, but that's the price you pay for screwing up like this in the first place. Do I think db.singles.org should go out of business over this? Well, I think they need to make this right completely and in many ways, that's not possible. The embarassment some people are experiencing by having really plausible sounding emails go out in their names is pretty hard to account for. Sure, that's not 100% db.singles.org's fault (they would likely argue if the users didn't use the same password they wouldn't have this problem, but the same could be said in reverse, if db.singles.org didn't screw up in the first place, these people wouldn't be in the fix they are in). I do think db.singles.org should put a notice on their front page and send every user an email (as I found out the hard way though, sending out an email may not result in users getting those emails if their accounts are already breached) letting them know what happened and the extent of it. The breach was bad enough, but having your credit card and paypal info all over the internet is something altogether worse).