Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- A Simple Explanation of How the Goatse Security "Account Slurper" Script Worked:
- Disclaimer:
- I am not a member of Goatse Security, nor am I a member of their affiliated trolling group GNAA.
- I have never seen the code for the Account Slurper, nor have I ever engaged in a conversation with
- anyone connected to GoatSec or GNAA or Gawker regarding its implementation. This I pieced together
- just from reading the news articles regarding this case, and my own knowledge of computer science.
- Publishing this is perfectly legal because 1) Anyone who knows how to implement this algorithm
- already knows how to do this anyway. 2) It's a very simple algorithm. 3) Educational purposes
- for developers in order to better defend against such simple exploits.
- And to be honest, it's pathetic that something this simple was able to be used as an exploit.
- Seriously.
- Definition of terms:
- SIM: Subscriber Identity Module, a chip present in all cellular devices that identifies the device
- as belonging to a particular user, and contains the digital key allowing a device to connect
- to a network.
- ICCID: A unique serial number that identifies a particular SIM card - essentially, it is the unique
- identifier for a particular device. It's easy to find a possible ICCID, but ideally only
- you, your phone and the phone company should be able to find the link between your ICCID
- and your identity.
- URL: A string of characters that identifies a webpage. For example, the URL
- https://www.youtube.com/watch?v=oF5fIHhsHeM points to a YouTube video parodying the Church of
- Scientology, and the 'hacker' group Anonymous.
- The Algorithm:
- Create text file for email address log.
- integer icc = <lowest possible value for ICCID>
- integer max = <highest possible value for ICCID>
- do {
- URL = "http://fake-example.com/some-page&showID?sim=" + icc
- open URL
- copy email address from page
- paste email address into log file
- icc = icc + 1
- } while icc is less than or equal to max
- Discussion:
- As you can see, this is a very simple algorithm. All you do is guess an ICCID, and plug it into a
- URL. If it's valid, it gives you an email address, and now you can link a particular device with
- a particular person. No password. No authentication that you are who you say you are.
- If the Chinese Patriotic Hacker Associations, or organized crime happened to get a hold of this
- link, and you happened to be a big enough target for them, you know that they would try to break
- into your device. And the email addresses of several CEOs of large companies, along with high
- ranking members of the Obama Administration were discovered using this script.
- Now, I get that this made users lives easier when they connected to AT&T websites. I get that. And
- there are ways to get the functionality, that IS secure. One way I can think of is to use Digital
- Signatures, which proves that you are exactly who you say you are, and so that nobody can
- impersonate you. This is very easy to code up, and I'm sure there are other methods out there.
- Long story short, AT&T did something very irresponsible, and Goatse Security did a public service
- by informing the media of this security hole.
- The irony is that back in the day, AT&T, which owned Bell Labs, created the C programming
- language and Unix operating system, which was and is still widely praised for its security and
- stability. Microsoft, on the other hand, is frequently criticized by the same people for
- insecurity and instability. However, Microsoft, unlike AT&T, publicly thanks people who point
- out security flaws to them.
Add Comment
Please, Sign In to add comment