Compare commits
3 Commits
193eff2c57
...
70d74e19b9
Author | SHA1 | Date |
---|---|---|
maia arson crimew | 70d74e19b9 | |
maia arson crimew | e1288d588e | |
maia arson crimew | 55d4268b1b |
|
@ -7,6 +7,8 @@ const related = require("eleventy-plugin-related");
|
|||
const markdownIt = require("markdown-it");
|
||||
const markdownItAnchor = require("markdown-it-anchor");
|
||||
|
||||
const figure = require('./src/_includes/components/figure.js');
|
||||
|
||||
module.exports = function (eleventyConfig) {
|
||||
const parseDate = (str) => {
|
||||
if (str instanceof Date) {
|
||||
|
@ -23,7 +25,8 @@ module.exports = function (eleventyConfig) {
|
|||
trimBlocks: true
|
||||
});
|
||||
|
||||
eleventyConfig.setLibrary("md", markdownIt({ "html": true }).use(markdownItAnchor, { "level": 2 }));
|
||||
const md = markdownIt({ "html": true }).use(markdownItAnchor, { "level": 2 });
|
||||
eleventyConfig.setLibrary("md", md);
|
||||
|
||||
eleventyConfig.addPlugin(pluginRss);
|
||||
eleventyConfig.addPlugin(syntaxHighlight);
|
||||
|
@ -31,6 +34,8 @@ module.exports = function (eleventyConfig) {
|
|||
eleventyConfig.addPlugin(safeLinks);
|
||||
eleventyConfig.addPlugin(eleventySass);
|
||||
|
||||
eleventyConfig.addShortcode('figure', figure(md));
|
||||
|
||||
eleventyConfig.addPassthroughCopy({ "src/static": "/" });
|
||||
|
||||
eleventyConfig.addFilter("date_to_datetime", (obj) => {
|
||||
|
|
|
@ -0,0 +1,8 @@
|
|||
module.exports = (md) => ({ src, alt, caption = '' }) => `
|
||||
<figure>
|
||||
<div>
|
||||
<img src="${src}" alt="${alt}" />
|
||||
</div>
|
||||
${caption ? `<figcaption>${md.renderInline(caption)}</figcaption>` : ''}
|
||||
</figure>
|
||||
`
|
|
@ -14,6 +14,11 @@ a {
|
|||
color: $accent;
|
||||
}
|
||||
|
||||
::selection {
|
||||
background-color: rgba($accent, 0.7);
|
||||
color: #ffb8e8;
|
||||
}
|
||||
|
||||
.like-a {
|
||||
color: $accent;
|
||||
text-decoration: underline;
|
||||
|
@ -172,6 +177,60 @@ video {
|
|||
max-width: 100%;
|
||||
}
|
||||
|
||||
figure {
|
||||
margin-left: 0;
|
||||
margin-right: 0;
|
||||
}
|
||||
|
||||
figcaption {
|
||||
text-align: center;
|
||||
font-style: italic;
|
||||
}
|
||||
|
||||
blockquote {
|
||||
background-color: $semi-bg;
|
||||
border-left: 3px solid $accent;
|
||||
padding: .5em .5em;
|
||||
quotes: "\201C""\201D""\2018""\2019";
|
||||
|
||||
p {
|
||||
display: inline;
|
||||
margin-top: 0;
|
||||
line-height: 1.4em;
|
||||
}
|
||||
}
|
||||
|
||||
blockquote:before {
|
||||
color: $accent;
|
||||
content: open-quote;
|
||||
font-size: 4em;
|
||||
line-height: 0;
|
||||
margin-right: 1px;
|
||||
vertical-align: -0.4em;
|
||||
}
|
||||
|
||||
blockquote:after {
|
||||
color: $accent;
|
||||
content: close-quote;
|
||||
font-size: 4em;
|
||||
line-height: 0;
|
||||
margin-left: 1px;
|
||||
vertical-align: -0.4em;
|
||||
}
|
||||
|
||||
span.greentext {
|
||||
color: #789922;
|
||||
}
|
||||
|
||||
blockquote.greentext::before {
|
||||
content: none;
|
||||
display: none;
|
||||
}
|
||||
blockquote.greentext::after {
|
||||
content: none;
|
||||
display: none;
|
||||
}
|
||||
|
||||
.tag {
|
||||
font-weight: bold;
|
||||
}
|
||||
|
@ -204,10 +263,6 @@ video {
|
|||
}
|
||||
}
|
||||
|
||||
.greentext {
|
||||
color: #789922;
|
||||
}
|
||||
|
||||
.lavender-webring-container,
|
||||
.sleepy-zone-webring-container {
|
||||
all: unset;
|
||||
|
|
|
@ -37,4 +37,4 @@ ok i feel like it should already just be clear from the previous section why sta
|
|||
|
||||
alright so, see point 5 above? yea that, i will be collecting stalkerware breaches sent to me, looking into companies myself, and blogging about them one by one. revealing (as far as possible) how unsecure they are, who's behind them, trying to get comment, and helping other journalists with stalkerware related reporting. two blog posts are already in the works, and if you have anything to contribute to potential reporting (vulns you find in stalkerware software, leaked data, investigations, insider info \[your identity will be protected], etc) or are a journalist looking to cover anything in this series in more detail, [contact me](/contact/).
|
||||
|
||||
> note: [the EFF has also been doing really important work rooting out stalkerware for many years now](https://stopstalkerware.org/) (cool website to learn even more about stalkerware too), which i have previously contributed to with other work, which i will not link due to it being linked to my deadname
|
||||
*note: [the EFF has also been doing really important work rooting out stalkerware for many years now](https://stopstalkerware.org/) (cool website to learn even more about stalkerware too)*
|
|
@ -33,7 +33,7 @@ i am informed that the US government has charged me for "conspiracy, wire fraud,
|
|||
|
||||
less than a week later i wake up to hundreds of dms and massive chaos on social media, i am once again going through a news cycle, the third time in just two weeks. my US indictment has been unsealed and there is a big press release on the justice.gov website.
|
||||
|
||||
> “A cyber-criminal could be anywhere in the world. Thanks to our foreign partnerships, international borders won't provide a haven for their illegal activities,” said Donald Voiret, FBI Special Agent in Charge, Seattle. “This indictment demonstrates the FBI’s commitment to working with our partners around the globe to disrupt and dismantle criminal enterprises that target Americans and their businesses.”
|
||||
> A cyber-criminal could be anywhere in the world. Thanks to our foreign partnerships, international borders won't provide a haven for their illegal activities,” said Donald Voiret, FBI Special Agent in Charge, Seattle. “This indictment demonstrates the FBI’s commitment to working with our partners around the globe to disrupt and dismantle criminal enterprises that target Americans and their businesses.
|
||||
|
||||
i have been made an example.
|
||||
|
||||
|
|
|
@ -14,9 +14,8 @@ feature_image: /img/posts/how-to-hack-an-airline/cover.jpg
|
|||
feature_alt: "a glitchy edited photo of an airplane"
|
||||
---
|
||||
|
||||
> note: this is a slightly more technical* and comedic write up of the story covered by my friends over at dailydot, which you can read [here](https://www.dailydot.com/debug/no-fly-list-us-tsa-unprotected-server-commuteair/)
|
||||
|
||||
> <small>*i say slightly since there isnt a whole lot of complicated technical stuff going on here in the first place</small>
|
||||
*note: this is a slightly more technical\* and comedic write up of the story covered by my friends over at dailydot, which you can read [here](https://www.dailydot.com/debug/no-fly-list-us-tsa-unprotected-server-commuteair/)*
|
||||
*<small>i say slightly since there isnt a whole lot of complicated technical stuff going on here in the first place</small>*
|
||||
|
||||
## step 1: boredom
|
||||
|
||||
|
|
|
@ -19,7 +19,7 @@ the [link to the write-up](https://files.kick.com/tmp/66a348a9-08ac-48fd-87c9-10
|
|||
|
||||
### first vuln: chat message fabrication
|
||||
|
||||
> "We first looked over Kick's user interface with DevTools, and noticed when pinning a message, the entire metadata of the message gets sent with it. When you modify said payload to include a fake username/content/badges, the server will blindly accept it, allowing you to impersonate any chat member. Incredible!"
|
||||
> We first looked over Kick's user interface with DevTools, and noticed when pinning a message, the entire metadata of the message gets sent with it. When you modify said payload to include a fake username/content/badges, the server will blindly accept it, allowing you to impersonate any chat member. Incredible!
|
||||
|
||||
this sounds fun! so i went ahead and tried to replicate it:
|
||||
|
||||
|
@ -62,13 +62,13 @@ in the past this apparently worked on arbitrary channels - the api even still re
|
|||
|
||||
### let's just responsibly disclose this i guess
|
||||
|
||||
> "We first debated about trying to responsibly disclose this vulnerability, the side of this is that Kick is heavily funded by Stake, a illegal online crypto casino, which is very legally and morally questionable. The debate ended up in us atleast trying to find a security contact... we found none. That's why we're writing this document instead of contacting Kick privately - we can't."
|
||||
> We first debated about trying to responsibly disclose this vulnerability, the side of this is that Kick is heavily funded by Stake, a illegal online crypto casino, which is very legally and morally questionable. The debate ended up in us atleast trying to find a security contact... we found none. That's why we're writing this document instead of contacting Kick privately - we can't.
|
||||
|
||||
not only do kick and stake make it incredibly hard to even try to responsibly disclose vulnerabilities, they are also "known to ignore security vulnerabilities and pursue legal action against whistleblowers instead of fixing them," according to the group. this is why their write-up has been published anonymously and sent to me to report on. in a conversation the group told me they were further motivated to not responsibly disclose as to not support a platform "specifically made to promote illegal gambling \[content\], since twitch blocked it." so their research continued...
|
||||
|
||||
### second vuln: arbitrary file write / XSS
|
||||
|
||||
> "While digging into saving profile pictures for some sort of vulnerability, we found that **Kick** implemented [Larevel's Vapor upload system](https://docs.vapor.build/1.0/resources/storage.html#file-uploads) incorrectly. This gave anyone full control of the content type and extension (allowing you to upload more than just images). These files were hosted on a domain in-scope for **all Kick.com cookies!**. Since Kick was pretty short sighted, they decided to make all authentication tokens accessible on all subdomains."
|
||||
> While digging into saving profile pictures for some sort of vulnerability, we found that **Kick** implemented [Larevel's Vapor upload system](https://docs.vapor.build/1.0/resources/storage.html#file-uploads) incorrectly. This gave anyone full control of the content type and extension (allowing you to upload more than just images). These files were hosted on a domain in-scope for **all Kick.com cookies!**. Since Kick was pretty short sighted, they decided to make all authentication tokens accessible on all subdomains.
|
||||
|
||||
the write-up itself, hosted on files.kick.com using this vulnerability, is the proof of concept for this vuln. to showcase the loose cookie access control there is also a button which (when clicked on the files.kick.com version) displays all of your kick.com cookies, showcasing the potential for XSS and token stealing
|
||||
|
||||
|
@ -78,15 +78,15 @@ given that the write-up itself already definitely proved the viability of this v
|
|||
|
||||
### third vuln: arbitrary file read / improper aws access control
|
||||
|
||||
> "So, you know that domain from earlier? Yeah, `files[.]kick[.]com`. Turns out, the main user content bucket was publicly viewable by just going to the [root of the domain](https://files.kick.com/)! Fun, am I right? All your user uploaded content available to the public, but it gets worse! It doesn't even get removed if you delete it. That probably breaks some privacy law, but we're too lazy to investigate."
|
||||
> So, you know that domain from earlier? Yeah, `files[.]kick[.]com`. Turns out, the main user content bucket was publicly viewable by just going to the [root of the domain](https://files.kick.com/)! Fun, am I right? All your user uploaded content available to the public, but it gets worse! It doesn't even get removed if you delete it. That probably breaks some privacy law, but we're too lazy to investigate.
|
||||
|
||||
i also verified this one myself by checking the bucket (`kick-files-prod`) contents using the [aws cli](https://aws.amazon.com/cli/), and have started archiving as much of the bucket as i can (at the time of writing that is around 50+gb of mostly user generated content). a quick check verifies that at the very least the bucket does not allow for public write or delete access; publicly allowing read access is still pretty bad nevertheless.
|
||||
|
||||
### conclusion
|
||||
|
||||
> "Kick is definitely not a better alternative to Twitch, and this is not even all of the flaws we found. Some of them would be even more dangerous to publish publicly. It's incredible how streamers like to go on every platform without doing the smallest bit of investigation.
|
||||
> Kick is definitely not a better alternative to Twitch, and this is not even all of the flaws we found. Some of them would be even more dangerous to publish publicly. It's incredible how streamers like to go on every platform without doing the smallest bit of investigation.
|
||||
> [...] I know Twitch sucks, but this really isnt the alternative. A small startup could do better then this. Use YouTube gaming, theyre pretty cool, and we'd rather trust Google instead of a Gambling comp with shit security.
|
||||
> Or you know, [self host your streams..](https://owncast.online/)"
|
||||
> Or you know, [self host your streams..](https://owncast.online/)
|
||||
|
||||
i definitely agree with this sentiment. i am also very curious regarding further trivially found vulerabilities (including the ones teased in the write-up), and im hopeful this write-up and my blog post can inspire some more interesting security research on kick.com, making it at the very least somewhat more secure hopefully. morally i also fully agree that trusting a platform which primarily exists to promote gambling and gambling content, owned by one of the biggest players in that industry, is foolish, no matter how good their creator payouts may be. this is further evidenced by how the only channels i saw ever having more than maybe 2000 viewers on kick during this investigation were famous gambling content creators, no other category ever seemed to garner much views.
|
||||
|
||||
|
|
|
@ -14,7 +14,7 @@ feature_alt: "a screenshot of a 4chan leak release post"
|
|||
|
||||
yesterday evening an anonymous 4chan user dumped a leak on the /g/ technology board, claiming to have completely owned risk visualization company [optimeyes](https://optimeyes.ai):
|
||||
|
||||
<blockquote>
|
||||
<blockquote class="greentext">
|
||||
<span class="greentext">> be cyber security risk assessment company</span></br>
|
||||
<span class="greentext">> focus on intellectual property theft</span></br>
|
||||
<span class="greentext">> dont secure ur own systems at all</span></br>
|
||||
|
|
|
@ -18,8 +18,7 @@ after taking a two month long hiatus (for mental health reasons, nothing to get
|
|||
|
||||
[rosgosstrakh (RGSL/росгосстрах)](https://en.wikipedia.org/wiki/Rosgosstrakh) is the second biggest russian insurance company, behind [SOGAZ](https://en.wikipedia.org/wiki/Sogaz) with an annual revenue of around 90 billion rubles ([2022](https://www.reuters.com/markets/companies/rgss.mm/financials/income-annual)). RGSL has been [subject to US sanctions](https://www.hstoday.us/subject-matter-areas/intelligence/new-sanctions-top-ten-russian-financial-institutions-now-under-u-s-restrictions/) since the start of the russian invasion of ukraine in february 2022. my source gained full access to their investment and life insurance department with data going back to 2010, giving them full access to ~3 million bank statements, data on 730k people/holders (around 80k of which with SNILS (russian ssn) and another 45k with full bank routing info), and all life insurance policies/contracts. they are also able to access all attachments to the former data, such as passports and scanned documents (i was only provided with a small selection of this data, but all of it is included in the purchasable dataset). the source further claims that they most likely have the ability to authorize and create bank transfers if they wanted to do so.
|
||||
|
||||
![two screenshots of the adinsure software used by RGS](/img/posts/rosgosstrakh-hack/adinsure.jpg)
|
||||
two screenshots of the [adinsure](https://www.adacta-fintech.com/platform) software used by RGS captured by the hackers during the attack
|
||||
{% figure { src: '/img/posts/rosgosstrakh-hack/adinsure.jpg', alt: 'two screenshots of the adinsure software used by RGS', caption: 'two screenshots of the [adinsure](https://www.adacta-fintech.com/platform) software used by RGS, captured by the hackers during the attack' } %}
|
||||
|
||||
## analysis
|
||||
|
||||
|
|
Loading…
Reference in New Issue