The Sanctuary

Technology => Network (in)Security => Topic started by: MrHigh on September 14, 2014, 09:24:04 am

Title: Security flaw in gov site that allows SSN to be harvested
Post by: MrHigh on September 14, 2014, 09:24:04 am

My friend has this site that she is finished havesting data from and she wants to know how to go about it from here.  She only harvested full names, SSN, and DOB.

1. She can report the error to the admins and give them their own PI just for the lulz.  If she does this, she can no longer get additional info on people.

2. She can leave it open and risk other novice hackers find the flaw, which will make her data less valuable.  However, she could get people's addresses and other info if needed.

3. She could contact local news crews, give them their own PI, explain how she got it, and she if they call the site out on the news.

What should she do?

Title: Re: Security flaw in gov site that allows SSN to be harvested
Post by: MrHigh on October 04, 2014, 07:18:51 pm

Reported.

Title: Re: Security flaw in gov site that allows SSN to be harvested
Post by: degenerate matter on October 04, 2014, 07:43:19 pm

The security community as a whole benefits from prompt disclosure of any bugs found, so the ethical thing to do is report the flaw to the sysadmin, then post a public description of how you accomplished the hack in order to help others avoid making the same configuration mistake.

Title: Re: Security flaw in gov site that allows SSN to be harvested
Post by: iam on October 04, 2014, 07:49:23 pm

'she'

didn't know sluts have computers in the kitchen

Title: Re: Security flaw in gov site that allows SSN to be harvested
Post by: Tokolosh on October 04, 2014, 10:16:12 pm

Quote from: MrHigh on October 04, 2014, 07:18:51 pm

Reported.

Whitehat pussy :(

Quote from: iam on October 04, 2014, 07:49:23 pm

'she'

didn't know sluts have computers in the kitchen

I'm sure microwaves have ethernet ports nowadays. Something about Radioactive Broadband for the best Jacket potato internet experience.

Title: Re: Security flaw in gov site that allows SSN to be harvested
Post by: komokazi on October 05, 2014, 12:05:37 am

The value of the goods will not be affected by simply one site's security configuration. Also, OP most likely just works somewhere and stole the information.

Title: Re: Security flaw in gov site that allows SSN to be harvested
Post by: MrHigh on October 07, 2014, 06:10:18 pm

Quote from: Tokolosh on October 04, 2014, 10:16:12 pm

Whitehat pussy :(

I only reported it because I have already harvested all of the current SSN in it.

They have fix it, for the most part.  I can still get into other user's accounts, but I cant view the SSN and other personal information.

Lets pretend like this is a couple that end in 1234...

Scott J Betterly
04/28/1971
542-04-1234

Darren F Rainey
03/16/1973
565-89-1234

 ;)

Title: Re: Security flaw in gov site that allows SSN to be harvested
Post by: MrHigh on October 07, 2014, 06:12:05 pm

Also, lol @ the kidiots that dont know how to check if last name + DOB matches a SSN.

Title: Re: Security flaw in gov site that allows SSN to be harvested
Post by: MrHigh on October 18, 2014, 06:20:15 pm

http://www.oregonlive.com/money/index.ssf/2014/10/data_breach_manager_resignation_point_to_more_employment_department_woes.html

Title: Re: Security flaw in gov site that allows SSN to be harvested
Post by: MrHigh on October 20, 2014, 05:42:53 pm

Here's another one...

http://www.statesmanjournal.com/story/news/2014/10/13/employment-records-hacked/17230193/

Fun times.