Stories with Tag security breach

• How I pwned a major New Zealand service provider

  permalink

  Posted: 2025-03-24 23:07:14

  Verbose tl;dr

  A security researcher discovered a critical vulnerability in a major New Zealand service provider's website. By manipulating a forgotten password request, they were able to inject arbitrary JavaScript code that executed when an administrator viewed the request in their backend system. This cross-site scripting (XSS) vulnerability allowed the researcher to gain access to administrator cookies and potentially full control of the provider's systems. Although they demonstrated the vulnerability by merely changing the administrator's password, they highlighted the potential for far more damaging actions. The researcher responsibly disclosed the vulnerability to the provider, who promptly patched the flaw and awarded them a bug bounty.

  A New Zealand security researcher, operating under the pseudonym "Mr. Bruh," meticulously documented a series of escalating vulnerabilities discovered within a prominent, albeit unnamed, New Zealand service provider. This account details a concerning lapse in security practices, starting with a seemingly innocuous exposed .git directory on a publicly accessible server. This directory, a crucial component of the Git version control system, contained the complete source code for the service provider's website, including sensitive configuration files. Mr. Bruh exploited this initial vulnerability to gain access to database credentials, effectively granting him unauthorized access to the provider's core database.

  The researcher further exploited weaknesses within the system, leveraging these initial credentials to escalate his privileges. He discovered inadequately protected internal APIs, which, due to insufficient authorization checks, allowed him to perform actions beyond the scope of a regular user. This included manipulating account details and accessing internal tools intended solely for authorized personnel. The compromised APIs exposed customer data, including personally identifiable information, further exacerbating the severity of the breach.

  Mr. Bruh’s investigation also revealed a troubling lack of security logging and monitoring. This deficiency meant that his actions went largely undetected, allowing him to explore the system's vulnerabilities over an extended period without triggering any alarms. The lack of proper logging hindered the service provider's ability to track the extent of the breach and identify the compromised data.

  Throughout the process, Mr. Bruh meticulously documented his findings, including screenshots and technical details of the vulnerabilities he encountered. He emphasized the systemic nature of these security flaws, highlighting not just isolated incidents but a pervasive disregard for basic security practices. After responsibly disclosing the vulnerabilities to the affected service provider through their official channels, Mr. Bruh waited an appropriate period for them to rectify the issues. Following this period of responsible disclosure, he published a detailed account of his findings, redacting any information that could further compromise the provider or its customers, with the intent of educating the wider community about the importance of robust security measures. He concludes by expressing his disappointment with the service provider's overall security posture, emphasizing the potential for far more damaging exploitation by malicious actors.

  • Cybersecurity
  • Penetration Testing
  • Ethical Hacking
  • vulnerability disclosure
  • New Zealand
  • Service Provider
  • security breach
  • Web Security
  • hacking
  • information security
  • Data Breach

  Summary of Comments ( 2 )
  https://news.ycombinator.com/item?id=43466355

  Verbose tl;dr

  HN commenters discuss the ethical implications of the author's actions, questioning whether responsible disclosure was truly attempted given the short timeframe and lack of clear communication with the affected company. Several express skepticism about the "major" provider claim, suggesting it might be smaller than portrayed. Some doubt the technical details, pointing out potential flaws in the exploit description. Others debate the legality of the actions under New Zealand law, with some suggesting potential CFAA violations, despite the author's New Zealand origin. A few commenters offer alternative explanations for the observed behavior, proposing it might be a misconfiguration rather than a vulnerability. The overall sentiment is critical of the author's approach, emphasizing the potential for harm and the importance of responsible disclosure practices.

  The Hacker News post titled "How I pwned a major New Zealand service provider" (linking to https://mrbruh.com/majorprovider/) generated a significant discussion with a variety of comments. Several commenters focused on the ethical implications and responsible disclosure practices of the author.

  One compelling line of discussion revolved around the perceived recklessness of the author's actions. Some argued that escalating access to the point of root, even unintentionally, crossed a significant ethical line, especially given the potential for widespread disruption. They emphasized the importance of responsible disclosure and suggested that the author should have stopped at demonstrating the initial vulnerability and reported it immediately. Others countered that the author's curiosity and desire to understand the full extent of the vulnerability were understandable, especially given the provider's seemingly dismissive response.

  Another key point of discussion was the security posture of the affected provider. Several commenters expressed concern about the apparent lack of basic security measures, such as proper input sanitization and access controls. They questioned the competency of the provider's security team and speculated on the potential consequences of such lax security practices.

  Several users also debated the legality of the author's actions. While some argued that the author's actions likely violated New Zealand law, others pointed out the potential ambiguity of the relevant legislation and the difficulty of proving intent.

  The comment section also included technical discussions regarding the specific vulnerabilities exploited by the author. Some users dissected the technical details of the exploits, while others offered suggestions for mitigating similar vulnerabilities.

  A recurring theme was the contrast between the author's perceived youthful enthusiasm and the provider's apparent apathy. Many commenters expressed sympathy for the author's situation, while criticizing the provider's dismissive response.

  Finally, several commenters discussed the potential consequences for the author, ranging from legal repercussions to reputational damage. The discussion highlighted the complex ethical and legal landscape surrounding security research and responsible disclosure.

• Feds Link $150M Cyberheist to 2022 LastPass Hacks

  permalink

  Posted: 2025-03-08 01:26:33

  Verbose tl;dr

  Federal prosecutors have linked the theft of $150 million in cryptocurrency from a crypto platform to the 2022 LastPass breaches. The hackers allegedly exploited vulnerabilities exposed in the LastPass hacks to steal a developer's decryption key, ultimately gaining access to the crypto platform's "hot" wallets. The indictment doesn't name the victimized crypto platform, but describes it as a "virtual currency exchange based in the United States." Two individuals, Russian national Ruslan Akhmetshin and an unnamed co-conspirator, are charged with money laundering and conspiracy to commit computer fraud. The indictment details Akhmetshin's alleged role in converting the stolen cryptocurrency into Bitcoin and then routing it through various channels to obscure its origin.

  In a significant development, renowned security journalist Brian Krebs, on his blog KrebsOnSecurity, reports that federal law enforcement officials have formally linked the massive $150 million cryptocurrency heist from the decentralized finance (DeFi) platform Platypus Finance to the two separate security breaches that LastPass, a prominent password management service, suffered in 2022. This connection underscores the far-reaching consequences of seemingly contained security incidents and highlights the potential for exploited data to be leveraged in subsequent, larger-scale attacks.

  Krebs's report details how the attackers, still unidentified, successfully exfiltrated encrypted backups of LastPass customer vaults during the second of the two breaches. While LastPass maintained that these vaults were protected by robust encryption contingent on users having sufficiently strong master passwords, the hackers appear to have obtained the decryption key for one particular LastPass employee's vault. This vault, unfortunately, contained critical secrets related to the victim's role at Platypus Finance.

  This access, according to the information Krebs received from sources close to the investigation, provided the cybercriminals with the necessary tools to orchestrate the complex attack against Platypus Finance, ultimately leading to the substantial $150 million loss. While the exact mechanisms by which the stolen credentials facilitated the heist remain undisclosed in the report to protect ongoing investigative efforts, the implication is that the compromised information served as a crucial entry point for the attackers.

  The Platypus Finance heist, which occurred in February 2023, sent shockwaves through the DeFi community. The incident involved a sophisticated exploit of the platform's mechanisms, allowing the perpetrators to drain a significant amount of cryptocurrency. Now, with the established link to the LastPass breaches, the incident serves as a stark reminder of the interconnected nature of cybersecurity vulnerabilities and the potential for seemingly isolated incidents to have cascading effects.

  This development further intensifies the scrutiny surrounding LastPass’s security practices and its response to the 2022 breaches. While the company has maintained that strong master passwords would protect user data, this incident demonstrably shows how the compromise of even a single employee's vault, particularly one containing sensitive work-related information, can have catastrophic consequences. The linkage of these two events underscores the importance of robust security protocols, thorough incident response procedures, and the critical need for individuals and organizations alike to prioritize strong and unique passwords for all sensitive accounts. It also highlights the growing threat posed by attackers who strategically target individual employees to gain access to larger organizational systems and valuable assets.

  • Cybersecurity
  • Data Breach
  • cyberheist
  • LastPass
  • password manager
  • hacking
  • cybercrime
  • security breach
  • Online Security
  • digital security
  • information security
  • data theft
  • Financial Crime
  • Fraud
  • $150M heist
  • 2022 LastPass breach

  Summary of Comments ( 17 )
  https://news.ycombinator.com/item?id=43296656

  Verbose tl;dr

  Hacker News commenters discuss the implications of the LastPass breach, focusing on the seemingly lax security practices that allowed the attackers to compromise a DevOps engineer's home computer and subsequently gain access to critical infrastructure. Several express frustration with password managers in general, highlighting the inherent risk of placing all eggs in one basket. Some question the plausibility of a DevOps engineer having access to decryption keys on a home machine, while others debate the efficacy of multi-factor authentication (MFA) against sophisticated attacks. The conversation also touches on the potential for insider threats and the difficulty of securing home networks against determined attackers. Some commenters find the timeline presented by the DOJ dubious, suggesting a longer period of compromise than officially acknowledged.

  The Hacker News comments section for the article "Feds Link $150M Cyberheist to 2022 LastPass Hacks" contains several compelling discussions related to the implications of the breach.

  Several commenters discuss the apparent lack of technical details released by LastPass and the Justice Department. They express frustration that the exact mechanisms of the attack, how the hackers ultimately gained access to decrypt user vaults, and the specific vulnerabilities exploited are still unclear. This lack of transparency fuels speculation and limits the ability to learn from the incident. Some users question whether this lack of detail is intentional on LastPass's part to avoid further damage to their reputation.

  A significant thread focuses on the use of cloud backups and the potential risks they pose if not properly secured. Commenters highlight the importance of encrypting backups with a separate key not stored in the same environment as the backed-up data. The LastPass incident, where developer backups were seemingly compromised, serves as a cautionary tale about the potential consequences of failing to implement robust backup security measures.

  Some commenters analyze the potential implications for password managers in general. They debate whether the LastPass incident indicates systemic issues with password managers as a whole or if it's solely a result of LastPass's specific security failings. The discussion touches upon the trade-off between convenience and security, with some suggesting alternative approaches like hardware security keys or distributed password management systems.

  Another point of discussion revolves around the severity of the consequences for LastPass users. Some users argue that the potential for complete vault decryption is a catastrophic failure, while others downplay the impact, suggesting that the number of users actually affected by the $150 million heist is likely small. The conversation highlights the differing perspectives on the acceptable level of risk associated with password managers.

  Finally, a few comments express skepticism about the link between the LastPass hacks and the $150 million cryptocurrency heist, pointing out that the indictment doesn't provide concrete evidence directly connecting the two events. They suggest the possibility that the indictment might be leveraging the high-profile LastPass breach to add weight to their case. This skepticism underscores the need for more transparency from law enforcement and LastPass to solidify the alleged connection.

• Bybit CEO Confirms Exchange Was Hacked for $1.46B

  permalink

  Posted: 2025-02-21 17:15:03

  Verbose tl;dr

  Bybit CEO Ben Zhou confirmed the cryptocurrency exchange suffered a security breach resulting in a loss of $1.46 billion. Zhou assured users that Bybit's insurance fund can fully cover the loss and that no user funds were affected. He attributed the loss to unauthorized access to Bybit's hot wallet, emphasizing that the platform's other security systems remained intact. Zhou also stated that an investigation is underway to determine the cause of the breach and prevent future incidents.

  In a recent revelation that has sent tremors through the cryptocurrency community, Ben Zhou, the Chief Executive Officer of Bybit, a prominent cryptocurrency derivatives exchange headquartered in Dubai, has officially confirmed that the platform was the victim of a sophisticated cyberattack. This security breach resulted in the misappropriation of a staggering $1.46 billion USD worth of digital assets. This substantial loss represents a significant blow, not only to Bybit itself but also potentially to the broader confidence in the security of cryptocurrency exchanges.

  Mr. Zhou, in his public acknowledgement of the incident, sought to reassure users and investors, emphasizing Bybit's robust financial standing. He explicitly stated that the exchange possesses sufficient reserves to fully cover the entirety of the stolen funds, thereby shielding users from bearing any financial repercussions from the attack. This assurance aims to mitigate potential panic and maintain stability within the Bybit ecosystem.

  While the exact nature and methodology of the exploit remain undisclosed, the confirmation of the hack itself raises serious concerns regarding the vulnerabilities that persist within the rapidly evolving cryptocurrency landscape. The magnitude of the stolen funds underscores the attractive target that cryptocurrency exchanges represent for malicious actors, highlighting the ongoing need for enhanced security measures and robust risk management protocols within the industry.

  The incident serves as a stark reminder of the inherent risks associated with digital asset trading and the importance of due diligence when selecting a cryptocurrency exchange. Despite Bybit's assertion of its capacity to absorb the loss, the long-term implications of such a significant security breach remain to be seen, particularly in terms of user trust and regulatory scrutiny. The cryptocurrency community will undoubtedly be closely monitoring Bybit's subsequent actions and transparency in addressing the aftermath of this substantial cyberattack. Furthermore, this incident will likely fuel ongoing discussions surrounding the need for stronger industry-wide security standards and regulatory frameworks to protect investors and maintain the integrity of the digital asset market.

  • Bybit
  • Cryptocurrency
  • exchange hack
  • security breach
  • Cybersecurity
  • Digital Assets
  • Bitcoin
  • Ethereum
  • crypto trading
  • Financial Loss
  • Online Security
  • Fraud
  • Ben Zhou

  Summary of Comments ( 52 )
  https://news.ycombinator.com/item?id=43130143

  Verbose tl;dr

  Hacker News users discuss the Bybit hack with skepticism, questioning the unusually large reported loss of $1.46 billion, especially given the lack of widespread media coverage. Some speculate about the possibility of an inside job or accounting errors, highlighting the opacity common in the cryptocurrency exchange world. Others point to the lack of specific details about the hack, like the exploited vulnerability or the affected assets, fueling further distrust. The exchange's claim of being able to cover the losses is met with suspicion, prompting discussion about the potential long-term impact on user trust and the overall stability of Bybit. Some comments also mention the ironic timing of the hack coinciding with Bybit's proof-of-reserves publication.

  The Hacker News post titled "Bybit CEO Confirms Exchange Was Hacked for $1.46B" has generated several comments discussing the implications of the alleged hack. The discussion centers around the plausibility of the event, with many commenters expressing skepticism about the reported amount and questioning Bybit's handling of the situation.

  Several commenters point out the unusual nature of a crypto exchange experiencing such a substantial loss and openly admitting to it. The lack of specific details about how the hack occurred is also a frequent point of concern. Some speculate that the actual loss may be smaller than reported or that the "hack" may be a cover for other financial issues within Bybit.

  One compelling comment thread explores the possibility of an inside job or a rug pull, suggesting that the hack might be a fabricated story to disguise embezzlement or other fraudulent activities. This thread highlights the lack of transparency in the cryptocurrency market and the inherent risks associated with centralized exchanges.

  Another noteworthy comment thread discusses the potential impact of this event on Bybit's reputation and the broader cryptocurrency market. Some commenters express concern that this incident could further erode trust in centralized exchanges, potentially driving users towards decentralized alternatives. Others downplay the significance of the event, arguing that such incidents are relatively common in the volatile cryptocurrency landscape.

  Several commenters also question the accuracy of the reporting, pointing out that the original TradingView article may have misrepresented the situation. They suggest waiting for official confirmation and more detailed information before drawing conclusions.

  Finally, some comments delve into the technical aspects of cryptocurrency security, discussing potential vulnerabilities and best practices for protecting digital assets. These comments offer valuable insights into the challenges of securing cryptocurrency exchanges and the importance of robust security measures.

  Overall, the comments on Hacker News reflect a mixed reaction to the news of the Bybit hack. While some express genuine concern and skepticism, others remain cautious and await further details. The discussion underscores the importance of due diligence and critical thinking when evaluating information in the fast-paced and often opaque world of cryptocurrency.

• Why do War Thunder players leak classified information? [video]

  permalink

  Posted: 2025-01-31 22:32:36

  Verbose tl;dr

  War Thunder players have repeatedly leaked classified military documents related to in-game vehicles, seeking to improve the game's realism or win arguments in online forums. Driven by a desire for accuracy and fueled by competitive debates, these leaks have involved information on tanks like the Challenger 2, the Leclerc, and the Chinese Type 99, often including restricted manuals and specifications. While players argue their intentions are to enhance the game, these actions have serious real-world implications regarding national security and the dissemination of sensitive military data. The video emphasizes the absurdity of the situation, highlighting the clash between a video game's pursuit of realism and the potential dangers of unrestricted access to classified information.

  This YouTube video, titled "Why do War Thunder players leak classified information?", delves into the recurring phenomenon of War Thunder players disclosing sensitive military documents related to in-game vehicles. The video explores the underlying motivations and the context surrounding these leaks, which have occurred multiple times involving different nations' military hardware.

  The narrator explains that War Thunder fosters a dedicated and passionate community deeply invested in the accurate representation of military vehicles within the game. This dedication extends to meticulous research and analysis of real-world specifications, often involving the scrutiny of declassified documents and historical records. However, this pursuit of realism occasionally crosses a line, with players accessing and disseminating information that remains classified.

  The video highlights the specific case studies of these leaks, demonstrating how players, driven by a desire for greater in-game accuracy or to win arguments within the community, have resorted to sharing restricted documentation. It emphasizes that these documents, often pertaining to tank armor layouts, performance characteristics, or weapon systems, can have real-world implications for national security, potentially compromising the operational effectiveness of the equipment in question.

  The core argument presented is that the leaks stem from a confluence of factors: the game's commitment to realism, the competitive nature of the community, and the accessibility of certain classified information through less secure channels. The video also touches upon the complexities of classifying information in the digital age, highlighting the difficulties governments face in controlling the spread of sensitive data, particularly within passionate online communities. Furthermore, the video explores the legal and ethical implications of such leaks, highlighting the potential consequences for the individuals involved and the broader implications for national security. The video concludes with a discussion about the potential solutions to this recurring problem, including greater community awareness, improved moderation within the game's forums, and perhaps a reevaluation of classification procedures for certain types of military information.

  • War Thunder
  • video game
  • classified information leaks
  • military secrets
  • gaming community
  • online gaming
  • simulation game
  • tank warfare
  • air combat
  • naval combat
  • Data Breach
  • security breach
  • information security
  • player behavior
  • Game Development
  • Gaijin Entertainment

  Summary of Comments ( 5 )
  https://news.ycombinator.com/item?id=42893089

  Verbose tl;dr

  Hacker News users discussed the motivations behind War Thunder players leaking classified military documents. Several commenters suggested that the players' intense dedication to realism in the game drives them to seek out and share restricted information to prove a point or improve the game's accuracy. This dedication, coupled with a lack of awareness about the potential consequences, contributes to the leaks. Some argued that the game developers bear some responsibility for fostering this environment by encouraging such a high level of realism. Other comments pointed out the ease of finding such information online, and the seemingly lax security surrounding some of these documents. A few commenters also highlighted the inherent tension between realism in games and the potential for misuse of sensitive information.

  The Hacker News post titled "Why do War Thunder players leak classified information? [video]" with the ID 42893089 has generated several comments discussing the phenomenon of War Thunder players revealing classified military documents. The comments generally revolve around the motivations, consequences, and psychology behind these leaks.

  Several commenters point to the intense dedication and passion that War Thunder players have for realism and accuracy within the game. This desire for highly detailed and accurate simulations drives some players to seek out real-world information, including classified documents, to gain an advantage or contribute to the game's realism. One commenter highlights the "weird intersection of autistic spectrum and military hardware enthusiasm," suggesting a correlation between a focused interest in detail and a fascination with military technology.

  The discussion also touches on the potential consequences of these leaks, both for the individuals involved and for national security. While some commenters downplay the significance of the leaked information, arguing it is often outdated or already available in other sources, others express concern about the potential damage to national security and the legal repercussions for those who leak classified documents. The debate also explores the game developers' role in moderating this behavior and the challenge of balancing realism with security concerns.

  Another prominent theme in the comments is the psychological aspect of the leaks. Some suggest that the anonymity provided by the internet and the gamer community emboldens individuals to share sensitive information they might otherwise withhold. Others posit that the competitive nature of the game and the desire to "win" at all costs can override concerns about legality or security. The discussion touches upon the concept of "gamification" and how it can blur the lines between reality and the virtual world, potentially leading to unintended consequences.

  Finally, several commenters express amusement and fascination with the recurring nature of these leaks, noting that it has become a somewhat predictable pattern within the War Thunder community. Some even speculate that the leaks might be a form of intentional disinformation spread by foreign governments. However, there's no substantial evidence presented to support these claims within the comments.