Well, what started out as a humorous slant on an unsuspecting web dev (probably someone who was pressed into service to build a web site for an oil and gas company) who submitted a Mozilla bug stating that they were incorrectly posting a “notice of insecure password and/or log-in” information on his…well, insecure site (no SSL, ports open galore, etc.), has taken a turn for the unfortunate.
— Eric Mill (@konklone) March 20, 2017
You see, Mozilla’s bug tracker (this particular bug has since been removed) allows all submissions to be viewed publicly for comment and review. As a result of all this being shared via Ars Technica, Twitter (see embed above) and Reddit, the Internet (well, the dev & IT parts of it) exploded.
Dev george’s website, oilandgasinternational.com got summarily hacked and beaten into submission, because, well, it’s the Internet, and that’s how the Internet responds when someone makes a public statement about how their site “has never been breached in more than 15 years” while simultaneously submitting a bug report stating their site is insecure. Some took it as a challenge, but as it turns out, it was anything but.
Ports were open, tables were dropped (someone dropped the user tables to prevent password harvesting), calls were made…
Goodguy Reddit user /u/redditpentester called up dev george to alert him about his newly-found infamy (transcript follows):
redditpentester 180 points
So. Believe it or not, his number is on the website. I just called him. He was quick to answer too.
Twice, actually. Pretty surreal the first time (cannot believe the confidence some people have). All of this is from a VOIP number that shows up as “Private” so he won’t be calling back or anything (for better or worse, it would probably be funny/cool). I’ll type out my transcript and reply to first comment to get visibility:
“Hey, I’m looking for a user by the name of dgeorge?”
Him: “I’m dev George.”
“When the entire internet browser ecosystem warns you that your website is insecure, why didn’t you listen?”
Him: “The website isn’t insecure, it’s very secure.”
“It’s not. An entire professional community is talking right now about how it’s not secure.”
Him: “No it’s not, the website is fine.”
“I’m trying to share facts with you right now.”
“Try to log into your website. I’ll wait.”
Him: “Who is this?”
“That really can’t be your first priority right now, please. I’m trying to help you. Not everyone out there is. Log into your own website, it’ll take just a moment and you’ll see. It’s all you have to do to catch up and sooner deal with being sued, being yelled at by any customers you might have, etc. Be an adult, you have to save your own ass right now.”
Him: pauses “Okay…” groans
Him: “It says server error.”
“Yeah and it’s probably going to get worse than that. Here’s the deal. I woke up today and the places I read from and the people I talk to were all discussing your website and that it’s completely broken and what has happened is people found your mozilla bug report; your database table with your users and passwords has been destroyed. I can’t explain too much of how or why because this is something people go to school to learn about but essentially, and I say this as a professional, your website is anything but secure. You’re in a good spot all things considered because this way, the info for these accounts cannot be shared any longer. You’re lucky to have your entire database destroyed. The rumor is, and I haven’t verified this part, that you have credit information that is easy to retrieve as well?”
Him: “No, that’s not true, we have all of it sent to a secure separate location.” (Probably thinking of his payment processor/third party.)
“Okay, so that is good news but I will add, not sure if you’re familiar with what SSL is but it says on your website that you use it. You do not. It would be very easy for someone, even with limited experience, to intercept a transaction and the card information if you were ever unlucky enough for someone to have noticed your site’s vulnerabilities before today.”
“Okay so don’t worry about me, or who I am. Just search your own information and username on Google, I wish I could link you but obviously we’re over the phone. Search your own information and you will see the articles talking about your site. Alternatively, type a single quotation into your login field and you will see it’s broken. I can’t do much because like you, I have a job and a life to deal with but best of luck and hope it goes smoothly from here on out.”
Him: “Thanks, okay.”
As of this writing, the site’s source code shows embedded js links to malicious sites. *sigh*
So, I am now feeling for George, it sounds like he is in over his head and may need help. Maybe those good guys of Reddit can give this guy a real hand (if he’ll take it) and help him get back on his feet again pro bono?
TL;DR: Guy submits public bug report to Mozilla calling his site insecure. It’s insecure, and because the bug report was public, do-gooders and do-badders hopped on the train and hacked the crap out of the site.
Image Courtesy of: (CC) Bill Ward