Or, That time I hacked a whole country by accident!
I have done consulting gigs all over the world for security testing, and I frequently travel to speak at international conferences.
Here’s a story about how I found a vulnerability that could have allowed me to steal the private information of over 100+ MILLION people.
This is by far the biggest (in the number of people impacted) hack I’ve ever done… and it wasn’t even for work.
Not too long ago I was planning on traveling out of the states for work, so I needed a VISA.
If you’ve ever applied for one you know that some countries pass this service off to 3rd party providers to do. This one did not. They had a government office and website to do passport verification, and application to get a VISA.
I did the whole process. I created an account, uploaded all my passport info, answered personal questions, uploaded photos, etc. Somewhere at the end of the process was asked if I wanted to pay for a “rush” service. I did. I also entered my credit card info.
Toward the end of the application process, I was given a link to check my order status, something like:
This page prompted me to log in using the credentials I had set up earlier. Then it redirected me to my account section which showed the page my order status.
In addition to this, there was an export to PDF button. Clicking this brought up a printable page of all my info referenced above.
I hovered over the button and the link looked like so:
https://threat.dev/app/printApplication?id=105608983
So… even when I’m not working, my hacker brain never turns off.
That number, 105608983, what if I changed it to 105608982? The number right before me? Surely the application would recognize that was not my id, and give me an error right?
Unfortunately for them, and for all the applicants before me, the change worked
Requesting:
Returned another user’s personal information. Big sad.
This type of web vulnerability is typically called an IDOR (an Insecure Direct Object Reference).
Since I found this bug totally outside of work, I started to get very nervous about finding such a big bug on a foreign gov site to which I was traveling.
I had to find a way to disclose it responsibly without getting in trouble. I reached out to several friends in the information security scene.
Luckily one of them knew someone who worked in Cyber Security for that government. They asked that I pass along a written report. I did.
I then worked with them to retest the issue once a fix was put in place.
I discovered four more vulnerabilities in this process, one of which was that the database was being backed up in a tar file to the same place user images were being uploaded. This directory had no authentication or access controls on it. The database had some credit card numbers in it. Big Sad #2 for them. If you’re a security tester reading this, always check /backup or check for backup zip/tar files.
In the end, they were thankful for the disclosure & my work. My travel went without a hitch.
I didn’t even get a t-shirt but, I might have saved someone's personal data from evil hackers!