API tools faq
paste
Advertisement
Nicolai

Vodafon.is leak

Nicolai
Dec 1st, 2013
704
0
Never
Add comment
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
text 4.27 KB | None | 0 0
raw download clone embed print report
  1. TL;DR - Vodafon.is has been hacked since Feb 2010, xyz users email + cleartext passwords leaked, and a small amount of unencrypted creditcard data leaked.
  2.  
  3. _______________________
  4. | |
  5. | FILE: users.sql |
  6. |_______________________|
  7.  
  8. Rows: 77227
  9. Users with cleartext password: 2831
  10.  
  11. _______________________
  12. | |
  13. | FILE: signup.sql |
  14. |_______________________|
  15.  
  16. Database layout:
  17. CREATE TABLE `signup` (
  18. `id` int(10) unsigned NOT NULL auto_increment,
  19. `ssn` char(10) character set latin1 default NULL,
  20. `passwd` varchar(255) character set latin1 default NULL,
  21. `encpasswd` varchar(255) default NULL,
  22. `email` varchar(255) character set latin1 default NULL,
  23. `msisdn` varchar(255) default NULL,
  24. `stamped` datetime default NULL,
  25. `bank_key` char(128) character set latin1 default NULL,
  26. `bank_done` set('0','1') default '0',
  27. `email_key` char(128) character set latin1 default NULL,
  28. `email_done` set('0','1') default '0',
  29. `upgrade` set('0','1') default '0',
  30. `shortcut` set('0','1') default '0',
  31. `done` set('0','1') character set latin1 default '0',
  32. `status` tinyint(4) default NULL,
  33. PRIMARY KEY (`id`)
  34. ) ENGINE=MyISAM AUTO_INCREMENT=27735 DEFAULT CHARSET=utf8;
  35.  
  36. "passwd" : cleartype password
  37. "encpasswd" : bcrypt, workfactor 8 ($2a$08$)
  38.  
  39. So much for hashing, salting and stretching the passwords!
  40. TODO: password analysis
  41.  
  42. ____________________________
  43. | |
  44. | FILE: shop_order.xlsx |
  45. |____________________________|
  46.  
  47. Columns:
  48. id
  49. cart_id
  50. name
  51. vidtakandi
  52. kennitala
  53. address
  54. postcode
  55. email
  56. phone
  57. creditcard_type
  58. creditcard_name
  59. creditcard_number
  60. exp_month
  61. exp_year
  62. total_price
  63.  
  64. Rows:
  65. 3206 (total)
  66. 280 ("null" rows)
  67.  
  68. Most of the creditcard_number is "null", but the database does contain 2 rows with cleartext creditcard numbers + expire date, and 2 rows with what appers to be "encrypted" creditcard numbers.
  69.  
  70.  
  71. ___________________________
  72. | |
  73. | FILE: env_users.xlsx |
  74. |___________________________|
  75.  
  76. Columns:
  77. id
  78. ipaddress
  79. user
  80. pass
  81. email
  82. first_name
  83. last_name
  84. phone
  85. fax
  86. alt_phone
  87. reg_date
  88. last_active
  89. user_level
  90. notes
  91. image
  92. admin_notes
  93.  
  94. Count of rows:
  95. 331
  96.  
  97. Everyone, but one, has a "user_level" of 0.
  98. id 1
  99. ipaddress 2130706433
  100. user admin
  101. pass 0e2814ca720a84fa67df64c6704e6238
  102. email valtyrv@vodafone.is
  103. first_name Valt??r Bjarki Valt??sson
  104. last_name null
  105. phone null
  106. fax null
  107. alt_phone null
  108. reg_date 1/21/2008 0:00
  109. last_active 3/24/2009 15:40
  110. user_level 9
  111. notes null
  112. image null
  113. admin_notes null
  114.  
  115. Searching for the password hash on Google only gives 2 results:
  116.  
  117. One is from md5this.com[1] and tells us that the hash was added Tue 27th Apr, 2010 07:28 am and still hasn't been cracked. The other is from password cracking site insidepro.com[2] and from a post by a user named "pvjk" who ask'd the community help to crack the hash on Thu Feb 25, 2010 1:47 am.
  118.  
  119. This guy, pvjk[3] is an old user:
  120. Joined: 31 Oct 2008
  121. Usergroups: None
  122. Total posts: 176
  123. Reputation: 35
  124. Last post: Thu Sep 06, 2012 6:05 am
  125.  
  126. So what so special about the hash he posted? Well, if you try to crack some of the other hashes on the list:
  127. hash : plaintext
  128. fd0fb93cb0469641418dec73a88356fb : liquids+(_a*
  129. f4af4a693ae12edf54788e7bae215aee : 123456s+(_a*
  130. ec5b0a570b81361d98228c1a232833e0 : viktors+(_a*
  131.  
  132. It appers that they are created with the static salt ("pepper"): s+(_a*
  133. $hash = MD5($password . "s+(_a*"); // this is not secure, but how vodafon did it.
  134.  
  135. So most likely the hash "0e2814ca720a84fa67df64c6704e6238" is specific to vodafon.is
  136. And someone was trying to crack this in Feb 2010... Do I need to say more?
  137.  
  138. Well, actually I gave it a shot (simple dict + salt) and found it in less than 1 sec:
  139. 0e2814ca720a84fa67df64c6704e6238 : abcd1234s+(_a*
  140. So the password of the admin is "abcd1234".
  141.  
  142. [1] http://www.md5this.com/list.php?page=54080&key=1&author=ToXiC&country=Cyprus&city=Nicosia (Note the "author" in the URL).
  143. [2] http://forum.insidepro.com/viewtopic.php?t=4009&postdays=0&postorder=asc&highlight=ab882278fc5de873211f18f99b12b872&start=750&sid=78dc561dab3b2bd58d5b43cb75e6a065
  144. [3] http://forum.insidepro.com/profile.php?mode=viewprofile&u=3160
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement
Public Pastes
Advertisement
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy.  OK, I Understand
Not a member of Pastebin yet?
Sign Up, it unlocks many cool features!