SHOW:
|
|
- or go back to the newest paste.
| 1 | A Simple Explanation of How the Goatse Security "Account Slurper" Script Worked: | |
| 2 | ||
| 3 | Disclaimer: | |
| 4 | I am not a member of Goatse Security, nor am I a member of their affiliated trolling group GNAA. | |
| 5 | I have never seen the code for the Account Slurper, nor have I ever engaged in a conversation with | |
| 6 | - | anyone connected to GoatSec or GNAA or Gawker regarding its implementation. This I pieced together just |
| 6 | + | anyone connected to GoatSec or GNAA or Gawker regarding its implementation. This I pieced together |
| 7 | - | from reading the news articles regarding this case, and my own knowledge of computer science. |
| 7 | + | just from reading the news articles regarding this case, and my own knowledge of computer science. |
| 8 | ||
| 9 | - | Publishing this is perfectly legal because 1) Anyone who knows how to implement this algorithm already |
| 9 | + | Publishing this is perfectly legal because 1) Anyone who knows how to implement this algorithm |
| 10 | - | knows how to do this anyway. 2) It's a very simple algorithm. 3) Educational purposes for developers |
| 10 | + | already knows how to do this anyway. 2) It's a very simple algorithm. 3) Educational purposes |
| 11 | - | in order to better defend against simple exploits. |
| 11 | + | for developers in order to better defend against such simple exploits. |
| 12 | ||
| 13 | - | And to be honest, it's pathetic that something this simple was able to be used as an exploit. Seriously. |
| 13 | + | And to be honest, it's pathetic that something this simple was able to be used as an exploit. |
| 14 | Seriously. | |
| 15 | ||
| 16 | - | SIM: Subscriber Identity Module, a chip present in all cellular devices that identifies the device as |
| 16 | + | |
| 17 | - | belonging to a particular user, and contains the digital key allowing a device to connect to a |
| 17 | + | SIM: Subscriber Identity Module, a chip present in all cellular devices that identifies the device |
| 18 | - | network. |
| 18 | + | as belonging to a particular user, and contains the digital key allowing a device to connect |
| 19 | to a network. | |
| 20 | ||
| 21 | - | identifier for a particular device. It's easy to find a possible ICCID, but ideally only you, |
| 21 | + | |
| 22 | - | your phone and the phone company should be able to find the link between your ICCID and your |
| 22 | + | identifier for a particular device. It's easy to find a possible ICCID, but ideally only |
| 23 | - | identity. |
| 23 | + | you, your phone and the phone company should be able to find the link between your ICCID |
| 24 | and your identity. | |
| 25 | ||
| 26 | URL: A string of characters that identifies a webpage. For example, the URL | |
| 27 | https://www.youtube.com/watch?v=oF5fIHhsHeM points to a YouTube video parodying the Church of | |
| 28 | Scientology, and the 'hacker' group Anonymous. | |
| 29 | ||
| 30 | The Algorithm: | |
| 31 | ||
| 32 | Create text file for email address log. | |
| 33 | ||
| 34 | integer icc = <lowest possible value for ICCID> | |
| 35 | integer max = <highest possible value for ICCID> | |
| 36 | ||
| 37 | do {
| |
| 38 | URL = "http://fake-example.com/some-page&showID?sim=" + icc | |
| 39 | open URL | |
| 40 | copy email address from page | |
| 41 | paste email address into log file | |
| 42 | icc = icc + 1 | |
| 43 | } while icc is less than or equal to max | |
| 44 | ||
| 45 | - | As you can see, this is a very simple algorithm. All you do is guess an ICCID, and plug it into a URL. |
| 45 | + | |
| 46 | - | If it's valid, it gives you an email address, and now you can link a particular device with a particular |
| 46 | + | As you can see, this is a very simple algorithm. All you do is guess an ICCID, and plug it into a |
| 47 | - | person. No password. No authentication that you are who you say you are. |
| 47 | + | URL. If it's valid, it gives you an email address, and now you can link a particular device with |
| 48 | a particular person. No password. No authentication that you are who you say you are. | |
| 49 | - | If the Chinese Patriotic Hacker Associations, or organized crime happened to get a hold of this link, |
| 49 | + | |
| 50 | - | and you happened to be a big enough target for them, you know that they would try to break into your |
| 50 | + | If the Chinese Patriotic Hacker Associations, or organized crime happened to get a hold of this |
| 51 | - | device. And the email addresses of several CEOs of large companies, along with high ranking members of |
| 51 | + | link, and you happened to be a big enough target for them, you know that they would try to break |
| 52 | - | the Obama Administration were discovered using this script. |
| 52 | + | into your device. And the email addresses of several CEOs of large companies, along with high |
| 53 | ranking members of the Obama Administration were discovered using this script. | |
| 54 | - | Now, I get that this made users lives easier when they connected to AT&T websites. I get that. And there |
| 54 | + | |
| 55 | - | are ways to get the functionality, that IS secure. One way I can think of is to use Digital Signatures, |
| 55 | + | Now, I get that this made users lives easier when they connected to AT&T websites. I get that. And |
| 56 | - | which proves that you are exactly who you say you are, and so that nobody can impersonate you. This is |
| 56 | + | there are ways to get the functionality, that IS secure. One way I can think of is to use Digital |
| 57 | - | very easy to code up, and I'm sure there are other methods out there. |
| 57 | + | Signatures, which proves that you are exactly who you say you are, and so that nobody can |
| 58 | impersonate you. This is very easy to code up, and I'm sure there are other methods out there. | |
| 59 | - | Long story short, AT&T did something very irresponsible, and Goatse Security did a public service by |
| 59 | + | |
| 60 | - | informing the media of this security hole. |
| 60 | + | Long story short, AT&T did something very irresponsible, and Goatse Security did a public service |
| 61 | by informing the media of this security hole. | |
| 62 | - | The irony is that back in the day, AT&T, which owned Bell Labs, created the C programming language and |
| 62 | + | |
| 63 | - | Unix operating system, which was and is still widely praised for its security and stability. |
| 63 | + | The irony is that back in the day, AT&T, which owned Bell Labs, created the C programming |
| 64 | - | Microsoft, on the other hand, is frequently criticized by the same people for insecurity and instability. |
| 64 | + | language and Unix operating system, which was and is still widely praised for its security and |
| 65 | - | Microsoft, unlike AT&T, publicly thanks people who point out security flaws to them. |
| 65 | + | stability. Microsoft, on the other hand, is frequently criticized by the same people for |
| 66 | insecurity and instability. However, Microsoft, unlike AT&T, publicly thanks people who point | |
| 67 | out security flaws to them. |
