4chan founder Chris Poole aka ‘moot’ troubles seem to be growing day by day. Just a few days back hackers had managed to hack into a moderators account of the worlds most popular image boarding website, and now ‘moot’ himself was hacked twice in a day.
Chris who also has a blog called Chris Hates Writing made a post 22 hours ago saying that his worst day started with a flurry of missed calls. Stating that missed calls are never a good sign, moot returned the calls only to find out that his 4chan admin account had been hacked not once but twice in a day. On the blog post, moot has given a detailed report of the hack due to the security blunders of 4chan admin. The blunders which are given below allowed a hacker to login as moot on 4chan. Not only did the hackers cause havoc on 4chan, they also managed to log into moot’s DrawQuest Amazon cloud account which the hacker then may have used for mining some free Bitcoins.
moots security blunders :
Mistake #1: No rate limiting or HTTP auth dialog was present on the domain.
Mistake #2: The PHP auth check for this particular file was broken.
Mistake #3: Unescaped SQL query, and not disabling MySQL errors in production.
Mistake #4: Boneheaded cookie auth—we simply stored the bcrypted password from the database in a cookie, which was all that was required to pass PHP auth.
Mistake #5: Not creating a fresh repo for a newly open sourced project, or at least scrubbing commit history.
And the final Mistake #6: Using a highly-privileged key where a lesser-privileged one would have sufficed.
Moot however then decided to initiate some action on finding out the vulnerabilities of 4chan website. He announced a $20 bug bounty program to inspire the security researchers and white hat hackers to find out the bugs on 4chan website. He also hopes that the $20 will also inspire the hackers who have already found out the vulnerabilities and may be using them to approach 4chan confidentially and tell moot what kind of bugs are affecting 4chan.
“It was a long day to say the least,” Poole said at the end of the blog post indicating that this may have been one of his worst days at office
No comments:<br /><br />Post a Comment