SHARE
TWEET

FBI Leaks - My Statement

CyberZeist2 Jan 5th, 2017 (edited) 8,459 Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
  1. I am being contacted by many media agencies with weird questions related to the recent FBI hack released on 1st January 2017 - http://pastebin.com/5vwz6Wj4
  2. This statement is a justification for all those questions.
  3. ----------------------------------------------------------
  4.  
  5. Many news outlets are asking me questions like my primary goal was to degrade the image of the organization behind Plone CMS development as it is considered as the most secured CMS till date with no vulnerability at all. This question is totally irrelevant as I have been in hacking scene since 2011 working under "Anonymous" umbrella and I hack the targets purely out of my own motivation. So, I am not influenced by any organization that wants to degrade the Image of Plone Organization.I just leaked out the details that I received after using the attack vector. I am not aware of any technical details of how Plone works internally. So please, do not ask me the technical details related to the inner workings of this CMS, you can test and see for yourself once I release the 0day vector.  
  6.  
  7. Also, stating that Plone CMS and its derivatives (currently used by FBI) are 100% hack proof is false as they had a few vulnerabilities in the past -
  8. https://www.exploit-db.com/exploits/38738/
  9. https://www.exploit-db.com/exploits/18262/
  10. https://www.exploit-db.com/exploits/27630/
  11. https://www.cvedetails.com/vulnerability-list/vendor_id-4313/Plone.html
  12. (these may be old, but the current 0day is closely related to them. The 0day I was given to test out was specifically for Local File Inclusion and Path Traversal exploits)
  13.  
  14. Regarding Plone 0day validity:
  15. ------------------------------
  16. Secondly, I am being asked to release the 0day Plone CMS vulnerability to prove its credibility and validity. First of all, as I have already stated that I am not the one who discovered this 0day myself. I was contacted by a 0day vendor with handle "lo4fer" over tor network who asked me to test out the 0day on active websites using Plone and its DERIVATIVES. The FBI hack was done to test out the vulnerability. So I cannot disclose the 0day vector myself unless this exploit is not being actively sold or is rendered obsolete. Thus I will release the 0day myself via twitter and few selected security news portals once this 0day is not on sale or is rendered obsolete. So please wait for few days, once this 0day is obsolete, I will release the 0day as a proof of validity. I cannot break the negotiation code and release the 0day myself at this point as the vendor shared the 0day in exchange of my real identity as a token while handing the 0day vector to me.
  17.  
  18. PS: Please stop blaming the people who are not involved in this hack, I alone have the sole responsibility to prove the validity of this 0day and NOT ANYONE ELSE!!!!
  19.  
  20. Lastly, I want to add that I could have released this leak only under my name and not under the name of ANONYMOUS. This was done to revive the lost image of Anonymous which has gone silent since last few years. And I am grateful that I received good amount of support from the Anonymous Family as the mainstream media declined to even publish the hacks in first place.
RAW Paste Data
Top