At the last TechEd Africa, Microsoft put all the speakers up in The Hilton in Durban. It was around 4AM (a few hours before the closing keynote), and @rmaclean, some other speakers, and myself, decided to see how hard it would be to get into someone’s room.
We came up with the following routine: One person pretends to be almost blackout drunk, and then another sober person helps them to the front desk. The sober person explains that they are trying to get this drunk friend back to the drunk friends room, but they don’t have the key.
I just finished my DevConf 2017 talk entitled All your data are belong to us: Reverse-engineering API’s, web scraping, and the details of how I gained access to 7 million Ster-Kinekor accounts.
This blog post is a rough summary of the Ster-Kinekor part of that.
MyBroadband has done a piece on this: Massive flaw in old Ster-Kinekor website leaked clients’ private data
It’s worth noting that nothing here is particularly advanced, and neither is my security knowledge – which is sort of what makes this scary.
If you don’t want to read the details, here is a summary:
Ster-Kinekor had a vulnerability in their site/api that allowed anyone to get the profile details of every single user in their system. Those details included names, addresses, phone numbers, and plain text passwords (amongst a lot of other fields that you can see below).
To be clear, this wasn’t a hard thing to find at all, and from Ster-Kinekors side, it was just pure negligence. Not only did the API hand off details to anyone, they were also storing password in their database in plaintext (and returning those to the client!).