EdCon Free

I release hereunder a full dump of EdCon database.
 copy of this text available at :
 https://hastebin.com/yexahocuvo.txt

EdCon is a major Ethereum developer conference. It will be held in Paris from February 17th to 18th. "EDCON is organized by LinkTime with the support and cooperation of developers from the Ethereum Foundation and the wider Ethereum community".
The main organizer is Beijing LinkTime Technology Company Limited, a Chinese software service company, that "works closely with core Ethereum developers and researchers, and helps to advance the Ethereum ecosystem through technological development and training".

I'm really concerned about the level of security developed by LinkTime for this conference. Nothing was secure, the admin panel was public, without any authentication, and even HTTPS was not mandatory. In a way, this is quite inline with Ethereum developers 'YOLO' practices and habits. LinkTime goals look scary now : "A health care industry solution based on blockchain is one of our main applications in future". Vitalik Buterin himself is adviser of this Chinese company [http://www.linktimetech.com/english.html]. Nevertheless, I hope this disclosure won't cast any fishy shadows on Ethereum developers works.

I deeply regret publishing all these private informations about registered persons. Please note all informations here were public and not encrypted thanks to LinkTime. So, this is not an actual leak. One needs to be careful when dealing with Ethereum eco-system, and don't disclose any sensitive data to any Ethereum related companies. The registered people for this event did choose to trust LinkTime and Ethereum Foundation developers, it was a major mistake and a bad assessment. For what I can see, with this ground level security failures, it would be useless to responsibly share with the developers to improve their system. Still, I choose to publicly disclose everything, instead of ransom, racketeering, phishing users or organizers.


Access Full EdCon Registered Users Data :
JSON : https://dl.dropboxusercontent.com/s/ihukfrbs58nhck5/RegUsers.json
CSV  : https://dl.dropboxusercontent.com/s/t4vw5rel0zsj7ff/RegUsers.csv

Their system was not ready or failed to record TxIDs.


Speakers, Startups, Developers and Investors List [RAW]
https://www.dropbox.com/s/r20ga9dtwyhcyzx/Others.txt?dl=0


EdCon Admin Panel (public webpage, encryption not mandatory):
http://edcon.io/admin2.html
HTML Source of the page
https://dl.dropboxusercontent.com/s/puck2c84f57b0ko/admin2.html.txt

From that public page, it is possible for anyone (without any auth, possible clear text):
- Change the Omise ID used for VISA payment
- Change address for Bitcoin and Ethereum
- Change the confirmation message when payment is received
- Search for users
- Add data
- Display users

I changed several days ago the payment addresses to mine [h4ck3rs 1st], for Bitcon and Ethereum. But this seems not effective, as new payments keep reaching previous addresses, which were : 1LKCBi4DosV8sneYajACsWpq9CksxFVFXV and 0xe8c0b3943030f894ac3c0a492463b40ab949e015.

Using plain HTTP requests, everyone can for example:

Read number of expected attendees (lots of 2x or 3x in userPay)
GET http://edcon.io/FranceWebsite/handle/getAllNum.php
Gives out : {"contact_num":"30","startups_num":"5","developer_num":"7","investor_num":"3","speaker_num":"25","userPay_num":"256","volunteer_num":"24"}

Get full registered users list
POST http://edcon.io/FranceWebsite/handle/getUserPay.php start=0&count=1000
or
POST http://edcon.io/FranceWebsite/handle/searchUser.php values=.&itype=5


A skilled developer might be able to register itself by adding a PayUser in the system. I didn't use that, I didn't want to alter the system. Now, reading all over admin2 page scripts, you can have lot of fun! :)


 The DAO Hacker
 thedaohacker@mail.ru