How I hacked millionaires accounts in MLM company
All of you probably stumbled upon “successful people” from the Internet. These people shared their vision of life. Exhibit their wealth. They publish books about "How to get out of the comfort zone", while writing these books from their mansion in California. Do you know this?
I really just got tired of it. I cleaned all the feeds of social networks from such personalities. Individuals who broadcast about coaching, motivation, money from the sofa and easy rich life. And you know what? It has become very cool to stay informed of the events without these information rats!
Now, when i go to social networks, and there only cats and parrots :)
But the story is not about that. In one day, before I cleaned up my social network feed, I got irritated and I thought — what if I can take a look at the real incomes of these people who are so annoying me?
That’s what I thought and did. More precisely first made. But then I thought and stopped in time, before i break some rules. Remember and honor #272!(Russian law about cyber crime)
Speech in the story will be about one network company(MLM), which we have a lot in our time . "A lot" — this is not quite the right description. Well, in general you understand…
The name of the company is intentionally hided because they did not want to publicize this incident. In principle, it is correct. Who knows what else I missed … Well, as a reader, in this example, you can understand what you shouldn't do and which mistakes you should't make.
So let’s go!
We have a goal — the company and information about people who live happily and gloriously with money from this company.(it's difficult to say about the last that it's true)
We begin, of course, with social networks. You do not know how many interesting things you can find in social networks.
We find out that all the information we are interested in can be fetched through one of their websites. Well. To catch the “victim”, we must become this “victim”.
To do this, we registered our account.
After registration, we receive an email with information about the login to the system and password. YES — PASSWORD was also in an e-mail.
After receiving this letter, I immediately remembered this situation.
https://tjournal.ru/60874-pochemu-ya-vyvozhu-vse-svoi-domeny-iz-ru-center (story about storing passwords in plaintext in database)
Okay. It’s certainly bad that passwords are so easily scattered. But that will not help us in any way. Unless we hack mail-box of our victim.
We are going further. We received a pair of username-password. We are going to log in. We are logged in. And then we understand that this password does not require forced change as one-time passwords. Moreover, the menu for changing the password does not imply the installation of any “unique” password. And password made only from numbers, and a clearly fixed amount. This combination is easily selected through bruteforce attack tools.
Okay. Let's try to check the login for stability of the password search. And here it turns out that not everything is so simple. The account is completely blocked and you can not log in even with the correct password after several unsuccessful attempts. Our account blocked for a few minutes. But this already creates a situation of impossibility to conduct bruteforce attack.
And then I remembered the most beloved thing in my work. About native applications. Recently I’ve seen so many of them. And I found so many bugs. Hardcoded passwords, bugs with privileges between users. Well, I was lucky and I found a couple applications of this company. Also know that ?! I can use the same login and password pair to log into this application.
Of course, the functionality of the application did not open up infinite possibilities for us. But the login form used another user authentication mechanisms. Developers made and used new API endpoint for this app.
Without waisting time, I decided to check on this app, what will happen if I try to conduct a brute force attack on my test account. How fast can I guess my password? How many threads can I do without the server failure? How quickly will I be banned by attentive admins of the system?
You know what?!
The selection of passwords worked at a crazy speed with five threads (dozens of passwords per second) And the server almost did not return to me 500 error from the increased load. And I was not banned. The attack was carried out for several hours. And I successfully picked up the password. In the system itself, I had a huge functionality. And after all this, I just started to assess the risks for the company in order to present them with a security report. After some time I understood the seriousness of the consequences of the success of my attack.
And so what could be done? …
- Collecting personal data of users of the system (name, phone, passport data, address)
- Collecting all financial activity of these users.
- Collecting sensitive information about users from personal messages (private messages)
- Transfer funds between users (like Robin Hood). And in fact, it could be done in a very cheerful format. From one hacked account you can understand the amount of damage, find and roll back transactions. After a few hacked accounts, it would be almost impossible to do this. As a result — the company’s financial losses.
- Reputation damage due to disclosure of financial activity
I already feel your questions — Why are you trying to create horror? How do you know the login of other users?
And then my answer — social networks! Easy, Real talk, Think about it!
Everything is in the public. And the login data_format is also quite trivial.
But question about internal transactions still remained uncovered for me. I’m not sure that it would be possible to implement this piece because of SMS verification. All financial action is confirmed via SMS code. We can try to change the phone number in account settings. But I still do not understand if SMS will go to us. I used this service
http://smsget.net/
It's virtual phone number. And I could not get any sms notifications for my test account with my test transactions.
The most difficult for me was to find a person who is responsible to talk with me about this security issue.
I wrote to one “nobleman” from this company. Seems like he was a leader. But he ignored my messages. And he never read my last messages to him.
Through social networks, friends-friends, friends, I discovered a man who was a developer of this company. He has already suggested to me another person who is responsible for “all this things”.
By the way, when I came to this person — it took 2–3 days. The man reacted adequately. We had a very cool talk about all the problems. It was also remarkable that due to the abnormal traffic that I intended to create, he closed the existing loophole a few days ago. And it’s cool. It would not be cool if he did not notice anything at all)))
The problem is closed. Everyone is happy. I got an interesting experience. The company received a valuable report and a lesson.
And then you have a question about the reward?
I will answer with a quote from a great man — No money, but don't give up.
In fact, the main developer suggested to transfer some money to my test account. But, I can not withdraw these virtual money. I asked to transfer these money to my friend who is connected with this company.
Let him buy kinder-surprises for his children.
Conclusions:
- Do not get too deep when you discover something “interesting”.
- Never forget about 272(russian cyber crime), and about the risk of getting on the contact with a not very glad person who may not be happy about your “hacking” report.
- Never implement the authentication functionality through the different API endpoints. There should not be any workaround solutions for a particular functional. Everything should work through single endpoint with a single protection. Otherwise, you will be tired of looking for a place from which someone hacked you.
- do not use simple passwords for users
- always encrypt passwords, use salt, and do not store in plain text
- do not send passwords from the system in e-mail when registration finished. If the user loses control over the mail-box, he will lose control over your system.
- do not use the login generator on your system. Logins in the system should always be unique.
- When you implementing login functional, don't forget about brute-force protection functionality.
