Scoop's security lapse

Forums › Off topic › Scoop's security lapse

nate

6473 posts

Uber Geek

Retired Mod

Trusted

Lifetime subscriber

#110603 12-Oct-2012 11:36

From Whaleoil

I was searching on Google for some details about adservers for a project I am working on and stumbled upon something that is very concerning about the set up of Scoop’s adserver. For a start to you can google it. (Image of search).Even basic protections like creating a disallow for the folder that contains the adserver in their robots.txt have not been perfomred. That is not security, rather it is obscurity that at the very least would have hidden the adserver from search results.

Once you find it however, then you have unfettered administrative rights to the entire adserver

Ah whoops, oh should I say, ah wheedled!

gzt

17106 posts

Uber Geek

Lifetime subscriber

#700282 12-Oct-2012 16:50

It is very unlikely that it was set up this way from the beginning. The usual cause is someone with an inadequate level of understanding going in and updating something. Maybe granting admin to guest lol or something equally shocking who knows.

The Whaleoil guy whose blog you link to above chose to use this access to insert his own advertisement into the Scoop site to promote the Whaleoil site - it is clear he knew what he was doing. Whether you agree with it or not his actions easily fall into the definition of illegal access under the Crimes Amendment Act 2003 (NZ).

[Edit: It is also possible access was restricted using a mod_access rule or something similar (no idea how common that is in practice - as a single line of defense it sounds like a bad idea) and then unrelated infrastructure reconfiguration followed at some point which led to access from outside the network.

Also, in favor of whoever directly maintains that server we can also bear in mind it is possible the configuration was altered through means other than http or standard administrative access]

oxnsox

1923 posts

Uber Geek

#700291 12-Oct-2012 17:06

gzt:...edited....
The Whaleoil guy whose blog you link to above chose to use this access to insert his own advertisement into the Scoop site to promote the Whaleoil site - it is clear he knew what he was doing. Whether you agree with it or not his actions easily fall into the definition of illegal

...no surprises there.. for Mr Slater

gzt

17106 posts

Uber Geek

Lifetime subscriber

#700318 12-Oct-2012 17:28

It is clear that Scoop have a duty of disclosure and a responsibility to comb their logs to determine if this facility was used to deliver or facilitate the delivery of any payload which was not directly authorised by them or one of their advertisers.

Whether they even log transactions for this area of their website is another question. You would hope so. Are the logs themselves secure? That's always a good question.

I see no statement on the front page of the Scoop site as yet.

nate

6473 posts

Uber Geek

Retired Mod

Trusted

Lifetime subscriber

#702271 17-Oct-2012 04:04

I wonder if they were secure and through some mistake that security has been removed. Seems strange how it's only been discovered now.