SHOW:
|
|
- or go back to the newest paste.
1 | A Simple Explanation of How the Goatse Security "Account Slurper" Script Worked: | |
2 | ||
3 | Disclaimer: | |
4 | I am not a member of Goatse Security, nor am I a member of their affiliated trolling group GNAA. | |
5 | I have never seen the code for the Account Slurper, nor have I ever engaged in a conversation with | |
6 | - | anyone connected to GoatSec or GNAA or Gawker regarding its implementation. This I pieced together just |
6 | + | anyone connected to GoatSec or GNAA or Gawker regarding its implementation. This I pieced together |
7 | - | from reading the news articles regarding this case, and my own knowledge of computer science. |
7 | + | just from reading the news articles regarding this case, and my own knowledge of computer science. |
8 | ||
9 | - | Publishing this is perfectly legal because 1) Anyone who knows how to implement this algorithm already |
9 | + | Publishing this is perfectly legal because 1) Anyone who knows how to implement this algorithm |
10 | - | knows how to do this anyway. 2) It's a very simple algorithm. 3) Educational purposes for developers |
10 | + | already knows how to do this anyway. 2) It's a very simple algorithm. 3) Educational purposes |
11 | - | in order to better defend against simple exploits. |
11 | + | for developers in order to better defend against such simple exploits. |
12 | ||
13 | - | And to be honest, it's pathetic that something this simple was able to be used as an exploit. Seriously. |
13 | + | And to be honest, it's pathetic that something this simple was able to be used as an exploit. |
14 | Seriously. | |
15 | ||
16 | - | SIM: Subscriber Identity Module, a chip present in all cellular devices that identifies the device as |
16 | + | |
17 | - | belonging to a particular user, and contains the digital key allowing a device to connect to a |
17 | + | SIM: Subscriber Identity Module, a chip present in all cellular devices that identifies the device |
18 | - | network. |
18 | + | as belonging to a particular user, and contains the digital key allowing a device to connect |
19 | to a network. | |
20 | ||
21 | - | identifier for a particular device. It's easy to find a possible ICCID, but ideally only you, |
21 | + | |
22 | - | your phone and the phone company should be able to find the link between your ICCID and your |
22 | + | identifier for a particular device. It's easy to find a possible ICCID, but ideally only |
23 | - | identity. |
23 | + | you, your phone and the phone company should be able to find the link between your ICCID |
24 | and your identity. | |
25 | ||
26 | URL: A string of characters that identifies a webpage. For example, the URL | |
27 | https://www.youtube.com/watch?v=oF5fIHhsHeM points to a YouTube video parodying the Church of | |
28 | Scientology, and the 'hacker' group Anonymous. | |
29 | ||
30 | The Algorithm: | |
31 | ||
32 | Create text file for email address log. | |
33 | ||
34 | integer icc = <lowest possible value for ICCID> | |
35 | integer max = <highest possible value for ICCID> | |
36 | ||
37 | do { | |
38 | URL = "http://fake-example.com/some-page&showID?sim=" + icc | |
39 | open URL | |
40 | copy email address from page | |
41 | paste email address into log file | |
42 | icc = icc + 1 | |
43 | } while icc is less than or equal to max | |
44 | ||
45 | - | As you can see, this is a very simple algorithm. All you do is guess an ICCID, and plug it into a URL. |
45 | + | |
46 | - | If it's valid, it gives you an email address, and now you can link a particular device with a particular |
46 | + | As you can see, this is a very simple algorithm. All you do is guess an ICCID, and plug it into a |
47 | - | person. No password. No authentication that you are who you say you are. |
47 | + | URL. If it's valid, it gives you an email address, and now you can link a particular device with |
48 | a particular person. No password. No authentication that you are who you say you are. | |
49 | - | If the Chinese Patriotic Hacker Associations, or organized crime happened to get a hold of this link, |
49 | + | |
50 | - | and you happened to be a big enough target for them, you know that they would try to break into your |
50 | + | If the Chinese Patriotic Hacker Associations, or organized crime happened to get a hold of this |
51 | - | device. And the email addresses of several CEOs of large companies, along with high ranking members of |
51 | + | link, and you happened to be a big enough target for them, you know that they would try to break |
52 | - | the Obama Administration were discovered using this script. |
52 | + | into your device. And the email addresses of several CEOs of large companies, along with high |
53 | ranking members of the Obama Administration were discovered using this script. | |
54 | - | Now, I get that this made users lives easier when they connected to AT&T websites. I get that. And there |
54 | + | |
55 | - | are ways to get the functionality, that IS secure. One way I can think of is to use Digital Signatures, |
55 | + | Now, I get that this made users lives easier when they connected to AT&T websites. I get that. And |
56 | - | which proves that you are exactly who you say you are, and so that nobody can impersonate you. This is |
56 | + | there are ways to get the functionality, that IS secure. One way I can think of is to use Digital |
57 | - | very easy to code up, and I'm sure there are other methods out there. |
57 | + | Signatures, which proves that you are exactly who you say you are, and so that nobody can |
58 | impersonate you. This is very easy to code up, and I'm sure there are other methods out there. | |
59 | - | Long story short, AT&T did something very irresponsible, and Goatse Security did a public service by |
59 | + | |
60 | - | informing the media of this security hole. |
60 | + | Long story short, AT&T did something very irresponsible, and Goatse Security did a public service |
61 | by informing the media of this security hole. | |
62 | - | The irony is that back in the day, AT&T, which owned Bell Labs, created the C programming language and |
62 | + | |
63 | - | Unix operating system, which was and is still widely praised for its security and stability. |
63 | + | The irony is that back in the day, AT&T, which owned Bell Labs, created the C programming |
64 | - | Microsoft, on the other hand, is frequently criticized by the same people for insecurity and instability. |
64 | + | language and Unix operating system, which was and is still widely praised for its security and |
65 | - | Microsoft, unlike AT&T, publicly thanks people who point out security flaws to them. |
65 | + | stability. Microsoft, on the other hand, is frequently criticized by the same people for |
66 | insecurity and instability. However, Microsoft, unlike AT&T, publicly thanks people who point | |
67 | out security flaws to them. |