Wednesday, January 7, 2009

MacRumorsLive feed hack details

I was watching the MacRumors live feed yesterday and I was lucky enough to see the hack live.

It was kind of funny, I was following the updates and at some point this text appeared:

STEVE JOBS JUST DIED:

A few seconds later the guys from MacRumors figured out that something happened and posted a retraction. And then the hacker posted another funny message:

Oh, wait, sorry. Steve did die. Our condolences.

And after that things started to get out of control. A lot of people started to post a lot of crap. You can see a screen shot here.

Anyway, I was curious what happened and started searching on Google. I was thinking they found an SQL injection or guessed their passwords or something like that.

However, things were much more simpler (as they usually are). Some guy/guys from 4chan found a directory listing for the admin directory.

Free Image Hosting at www.ImageShack.us

As if this wasn't bad enough, this directory was not properly configured and was showing the source code of PHP files instead of executing them.

More than that, you could read the htpasswd file (named .passwd) with all the password hashes :)

Wait, there is more :)

They didn't even need those passwords, because if you read some of the files from that directory you could get the URL of the administrative interface. From there you could post live updates and stuff. And guess what: this administrative interface wasn't password protected. Now, that's just funny :)

Free Image Hosting at www.ImageShack.us

Here is the response from arn, the guy that runs MacRumors.

The cause of the security breach is best described as "user error" due to admin files being inadvertently mirrored across multiple server instances with incorrect permissions. This allowed php code to be displayed rather than executed, which was clearly a "bad thing". Our actual admin panel is password protected, of course.

No comments:

Post a Comment