Advertisement
Home
Wednesday, 20 August 2008
  
 
Last week attacks
O.S.  Defs.  %
Linux  19442  83.73%
Win 2003  2305  9.93%
FreeBSD  834  3.59%
Win 2000  263  1.13%
SolarisSunOS  168  0.72%
Other  208  0.90%

Total attacks: 23220 of which 11028 single ip and 12192 mass defacements

Polls
Should Zone-H continue mirroring defacements? (floods will be purged)
 
Main Menu
Home
Digital Warfare
Geopolitics
ITsec News
ITsec Advisories
Test Drive
360°
Digital Attacks Archive
Zone-H events
Publications
Zone-H Friends/Partners
Contact Us
Search
Download Area
Zone-H forum
About this website
Login Form





Lost Password?
No account yet? Register
ZONE-H In Numbers
 News: 14547
 Advisories: 11
 Administrators: 1
 Managers: 1
 Super Administrators: 3
 Operators: 3
 Registered Users: 37071
 Downloadable Files: 3888
 Digital Attacks: 2819075
 Attacks On Hold: 3814
 Online Users: 167
Syndicate
Visitors' Map
Highlight on most recent attacks
shcmgh.gov.cn/index.htm by M38       hinstock-pc.gov.uk/public/index.php by Fatal Error       ufs.br/esem by PureHemp       comune.avola.sr.it by CaprazAtes.Org       ncsa.undp.kg/images/guest.php by Garc       undp.kg/images/stories/al.txt by Alemin_Krali       db.undp.kg/cache/amen.html by m0sted       ncsa.undp.kg/cache/amen.html by AmeN       un.org.kg/cache/amen.html by AmeN       nalu.geog.washington.edu/avcal/day.php by Alemin_Krali       
Latest advisories
Latest on Digital Warfare
Latest on Geopolitics
250 thousands emails at risk? It is a feature! PDF Print E-mail
User Rating: / 5
PoorBest 
Written by minor   
Thursday, 10 July 2008

"It is not a bug, it is a feature. You invented the wheel."

If you get this kind of answer from a website operator in relation to a security bug found in his application, then you have only two choices: either you're paranoid or the operator doesn't care much about security. What are talking about? About leakage of 250.000 email addresses.

One of the most visited websites in Slovakia, the community website Azet.sk known thanks to his freemail and chat services has several sections, among which is also a dating section . The website is visited by surfers of various age that would like to find a partner for anything: chating, meeting, sex etc. You just put an announce and everybody can respond you through a web form. But few days ago, on one of the most visited security blogs in Slovakia blog.synopsi.com appeared the detailed description of how to get email addresses from the Azet dating service with a PoC script.

  

When sending a message to a selected user of the dating service in an opened announce (defined by ID), the email address is sent in hidden field. oooo (blog admin) wrote a script in python and compiled it to a Windows binary, that could automate addresses extraction. He started with ID=1 that should be connected to the first announce in the dating section, but first the emails were extracted around ID=300000. The script stopped to work at ID=900000 and resulted in 250000 extracted emails, which is approximately 1/4 of whole account of Internet users in Slovakia. Of course it could be also less, because some individuals use more than one email address, but the number is really high.

The functionality of this script with some extracted email addresses can be seen in this video.

undefined

Among the results also several email addresses belonging to the government, municipal, universities, schools etc were found, the authors published them together with links to announces with those email addresses (this is exact picture of bureaucracy everywhere in the world, officers have no time for you, but have time to look for something else).

The answer came after several hours from the Azet.sk's operator with an article named "They invented the wheel" . (we extracted some juicy sentences, because it is in slovak language, with our comments). 

"No emails leaked from the website Zoznamka.azet.sk, as is stated in articles on blog.synopsi.com and pocitace.sme.sk, only email contacts."  (where is the difference?)

"Processing of email addresses was developed and programmed in such way." (what???)

"Described way how to extract email addresses from HTML code is commonly used by the spammers in the world, they get addresses and misuse them. So this is not directly a security issue of the Zoznamka.azet.sk website." (hey, guys, spammers can't hit Slovakia, this is real banana island!)

"Email contact entered by inserting new announce is only for contact purposes and Azet.sk is not obliged to not disclose it." (well, in user privacy section of rules you can read:

1. The operator obliges not to disclose private data of user to any third party.

2. As user's private data for these rules are considered all the data, that are not publicly available to other users or are not shared (for example data, that were marked by user with "not public" etc) and email, also in case of sharing. IP address and access time (logs) are not considered as a private data.)

Azet.sk operators also accused the authors of blog.synopsi.com:

"Publishing email contacts and with them allegedly connected announces on blog synopsi is questionable, it is not possible in the reality to prove the connection and this can be considered as a serious detraction and damaging name of the affected persons."

As answer to this last accusation oooo stated:

"Although I connected emails and announces on purpose, Azet repeatedly said, I faked them. Of course, only after they corrected the described errors. Then they advise me, that they meant the connection of particular persons with published emails. But I never said, these are the particular persons. I just wrote emails and connected them with the announces. ...emails were freely available on the website. It was not necessary to hack the databases in some way or steal the emails somehow... ...Azet published emails in publicly available html code)."

Can you imagine, if issue like this will affect bigger social networking websites? And their answer would be: "it's not a bug, it's a feature..."?

 

 


Comments Index (Total Messages: 5)
yawn Written by Guest on 2008-07-11 02:30:37
Re: yawn Written by Guest on 2008-07-11 09:18:53
omg Written by s3xy on 2008-07-11 14:47:13
Re: Re: yawn Written by Guest on 2008-07-12 03:34:17
Re: Re: Re: yawn Written by Guest on 2008-07-14 16:52:48

Powered by a Zone-H(ified) version of AkoComment 3.0!


DISCLAIMER: Forum postings are the opinion of the posting author alone, and should not be taken as the opinion of Zone-h. The   author is entirely and solely responsible for all content that he/she uploads, posts, or otherwise transmits via the website. Zone-h is not responsible for such content. However, Zone-h shall have the right, but not the obligation, to delete, move, or edit any content that violates this agreement or is otherwise objectionable as determined by Zone-h in its sole discretion and without notice.
 
< Prev   Next >
[ Back ]
Advertisement
 
Top!
© 2008 Zone-H.org
Joomla! is Free Software released under the GNU/GPL License.
 Top!