Geekzone: technology news, blogs, forums
Guest
Welcome Guest.
You haven't logged in yet. If you don't have an account you can register now.


ForumsOff topicScoop's security lapse
nate

6404 posts

Uber Geek

Moderator
Trusted
Lifetime subscriber

#110603 12-Oct-2012 11:36
Send private message

From Whaleoil

I was searching on Google for some details about adservers for a project I am working on and stumbled upon something that is very concerning about the set up of Scoop’s adserver. For a start to you can google it. (Image of search).Even basic protections like creating a disallow for the folder that contains the adserver in their robots.txt have not been perfomred. That is not security, rather it is obscurity that at the very least would have hidden the adserver from search results.

Once you find it however, then you have unfettered administrative rights to the entire adserver


Ah whoops, oh should I say, ah wheedled!

Create new topic

gzt

gzt
11634 posts

Uber Geek

Lifetime subscriber

  #700282 12-Oct-2012 16:50
Send private message

It is very unlikely that it was set up this way from the beginning. The usual cause is someone with an inadequate level of understanding going in and updating something. Maybe granting admin to guest lol or something equally shocking who knows.

The Whaleoil guy whose blog you link to above chose to use this access to insert his own advertisement into the Scoop site to promote the Whaleoil site - it is clear he knew what he was doing. Whether you agree with it or not his actions easily fall into the definition of illegal access under the Crimes Amendment Act 2003 (NZ).

[Edit: It is also possible access was restricted using a mod_access rule or something similar (no idea how common that is in practice - as a single line of defense it sounds like a bad idea) and then unrelated infrastructure reconfiguration followed at some point which led to access from outside the network.

Also, in favor of whoever directly maintains that server we can also bear in mind it is possible the configuration was altered through means other than http or standard administrative access]

oxnsox
1923 posts

Uber Geek


  #700291 12-Oct-2012 17:06
Send private message

gzt:...edited....
The Whaleoil guy whose blog you link to above chose to use this access to insert his own advertisement into the Scoop site to promote the Whaleoil site - it is clear he knew what he was doing. Whether you agree with it or not his actions easily fall into the definition of illegal

...no surprises there.. for Mr Slater

 
 
 
 


gzt

gzt
11634 posts

Uber Geek

Lifetime subscriber

  #700318 12-Oct-2012 17:28
Send private message

It is clear that Scoop have a duty of disclosure and a responsibility to comb their logs to determine if this facility was used to deliver or facilitate the delivery of any payload which was not directly authorised by them or one of their advertisers.

Whether they even log transactions for this area of their website is another question. You would hope so. Are the logs themselves secure? That's always a good question.

I see no statement on the front page of the Scoop site as yet.

nate

6404 posts

Uber Geek

Moderator
Trusted
Lifetime subscriber

  #702271 17-Oct-2012 04:04
Send private message

I wonder if they were secure and through some mistake that security has been removed.  Seems strange how it's only been discovered now.

Create new topic




News »

Logitech introduce MX Anywhere 3
Posted 21-Sep-2020 21:17

Countdown unveils contactless shopping with new Scan&Go tech
Posted 21-Sep-2020 09:48

HP unveils new innovations for businesses adapting to rapidly evolving workstyles and workforces
Posted 17-Sep-2020 15:36

GoPro launches new HERO9 Black camera
Posted 17-Sep-2020 09:45

Telecommunications industry launches new 5G Facts website
Posted 17-Sep-2020 07:56

New Zealand ranks 3rd in world in GSMA index
Posted 15-Sep-2020 10:13

Trend Micro Security Suite adds web monitoring to prevent identity theft
Posted 14-Sep-2020 15:37

NVIDIA to acquire Arm for US$ 40 billion
Posted 14-Sep-2020 12:27

Epson launches its next gen A3+ colour EcoTank multi-function printer
Posted 10-Sep-2020 16:08

Sony launches three new native 4K SXRD home cinema projectors
Posted 9-Sep-2020 18:00

Catalyst Cloud brings Kubernetes-based open-source web hosting solution to market
Posted 9-Sep-2020 17:54

Verizon Connect eyes further growth in New Zealand
Posted 8-Sep-2020 09:26

PNY launches XLR8 gaming NVIDIA GeForce RTX 30 series powered by the all-new NVIDIA Ampere architecture
Posted 3-Sep-2020 16:39

NVIDIA delivers greatest-ever generational leap with GeForce RTX 30 Series GPUs
Posted 3-Sep-2020 16:17

Weta Digital advances visual effects and animation in the cloud with AWS
Posted 2-Sep-2020 17:09


Geekzone Live »

Try automatic live updates from Geekzone directly in your browser, without refreshing the page, with Geekzone Live now.


Support Geekzone »

Our community of supporters help make Geekzone possible. Click the button below to join them.

Support Geezone on PressPatron


Updates »

Are you subscribed to our RSS feed? You can download the latest headlines and summaries from our stories directly to your computer or smartphone by using a feed reader.

Alternatively, you can receive a daily email with Geekzone updates.