accidently pentested a financial site

What is right? Is there right? Are you right?

accidently pentested a financial site

Post by cal225 on Sun Jun 01, 2014 9:53 pm
([msg=81151]see accidently pentested a financial site[/msg])

Hey guys, so Im a general computer science student in college, and recently have been teaching myself ethical hacking, hoping to become a professional pentester one day,
Tonight, while learning about Google Dorking, I tested a query.
Low and behold, publicly available SQL dbs with iffy information, I clicked on one (unnamed as they haven't fixed it yet)
Glory be, admin passwords with usernames and emails and phone numbers....
Then I looked up and saw the name of the site it connected to....
Oh shit...
It was a site that sells and buys expensive (redacted)
Just to see if they were that stupid (they were) I GOOGLED their site name with (admin) at the end (not even /admin just a straight google search of their site name and admin).
It took me to their admin login page, first result.......
I was about to walk away and send an email to their support, when for shitz and giggles, I threw a SQL injection or 1=1 at it....
It worked..... On thier ADMIN page, on a site that handles public transactions......
I immediately logged out and fired an email at their support desk informing them of all the flaws I found (and that I didn't fuck with anything)
Did I follow proper white hat procedure?
Anything I should/ shouldn't do in future?
Thanks In advance.
cal225
New User
New User
 
Posts: 4
Joined: Sun Jun 01, 2014 9:42 pm
Blog: View Blog (0)


Re: accidently pentested a financial site

Post by limdis on Sun Jun 01, 2014 9:59 pm
([msg=81152]see Re: accidently pentested a financial site[/msg])

Good on you for reporting it. But next time make sure you are going through a proxy (tor or similar)/vpn and use a clean email address. Unfortunately, some admins will call the authorities instead of acknowledging their colossal fuck up and you'll be facing a lawsuit. Even if you are doing the right thing it is still technically illegal. So just watch yourself.
"The quieter you become, the more you are able to hear..."
"Drink all the booze, hack all the things."
User avatar
limdis
Moderator
Moderator
 
Posts: 1657
Joined: Mon Jun 28, 2010 5:45 pm
Blog: View Blog (0)


Re: accidently pentested a financial site

Post by cal225 on Sun Jun 01, 2014 10:37 pm
([msg=81153]see Re: accidently pentested a financial site[/msg])

The site is based in India, so I don't think I have the FBI to worry about.... I hope...
cal225
New User
New User
 
Posts: 4
Joined: Sun Jun 01, 2014 9:42 pm
Blog: View Blog (0)


Re: accidently pentested a financial site

Post by cyberdrain on Mon Jun 02, 2014 2:34 am
([msg=81156]see Re: accidently pentested a financial site[/msg])

From what I gather online, hacking in India can be punished up to about 3 years in prison, see here. In comparison, in the USA it seems that you can get at least 10 years for most similar crimes, though most people here can probably tell whether that is true. So even if you do get prosecuted, be happy it's not based in the US. Then again, if their security is that bad, they probably wouldn't have noticed had you not told them, so I hope you used a mail-address not linked to you.

edit: and no, the FBI or other agency will probably not do the work for India, unless they have something to gain from it.
Free your mind / Think clearly
User avatar
cyberdrain
Expert
Expert
 
Posts: 2160
Joined: Sun Nov 27, 2011 1:58 pm
Blog: View Blog (0)


Re: accidently pentested a financial site

Post by Goatboy on Mon Jun 02, 2014 6:50 pm
([msg=81173]see Re: accidently pentested a financial site[/msg])

I laughed so hard at the title because I immediately thought of this:

Image

I don't think that qualifies as "accidentally" pentesting a site, but I tend to agree with the others that you should be more careful moving forward, using your own email was not smart, and you should be fine.
Assume that everything I say is or could be a lie.
19JAW6GabFHqe9yD9rr26QL3W3V2pNitbD
User avatar
Goatboy
Expert
Expert
 
Posts: 2863
Joined: Mon Jul 07, 2008 9:35 pm
Blog: View Blog (0)


Re: accidently pentested a financial site

Post by cal225 on Tue Jun 03, 2014 10:13 am
([msg=81186]see Re: accidently pentested a financial site[/msg])

Yeah, I found it accidentally, but yes the testing was a little intentional, but I honestly didn't think it was real until I got in the admin account. (Who the hell let's your admin passwords get found by a Google search......)
But so far, no response to the email, I'm not even sure if the site is even being maintained, I've seen no activity so far,
But yes I've got a tor client on my tablet now and an anon email site, definatly being very careful in future.
Got hella Lucky on this one :shock:
cal225
New User
New User
 
Posts: 4
Joined: Sun Jun 01, 2014 9:42 pm
Blog: View Blog (0)


Re: accidently pentested a financial site

Post by cyberdrain on Tue Jun 03, 2014 12:51 pm
([msg=81197]see Re: accidently pentested a financial site[/msg])

cal225 wrote:But yes I've got a tor client on my tablet now and an anon email site, definitely being very careful in future. Got hella Lucky on this one :shock:

You can say that again, but you're not out of the woods yet. I don't know how long these kinds of investigations might take, but I do know that it could years to go from crime to sentencing. Also, you'd be surprised what you can find on Google.

Also, be sure never to log into an email using both TOR and clearnet. One or the other or you can throw it (and your anonymity with it) away.
Free your mind / Think clearly
User avatar
cyberdrain
Expert
Expert
 
Posts: 2160
Joined: Sun Nov 27, 2011 1:58 pm
Blog: View Blog (0)


Re: accidently pentested a financial site

Post by Goatboy on Tue Jun 03, 2014 10:35 pm
([msg=81204]see Re: accidently pentested a financial site[/msg])

cyberdrain wrote:I don't know how long these kinds of investigations might take, but I do know that it could years to go from crime to sentencing.

In my case it was some unimportant amount of time to get caught, 10 months before the preliminary hearing, 4 months before sentencing (which was considered pre-trial release, basically probation), then a year of actual probation, and here I am. ~2 year process overall, with restitution to pay for a long time. The gears of Justice move slowly.

My advice if you do get caught: Immediately start to learn a skill that can get you a job where you never have to touch a computer. In all likelihood you will have extreme restrictions on computer use if you get to use one at all. If you do it will likely be monitored, and probably restricted to only job-related activities. In some cases they will say you can only have a certain amount of Internet-enabled devices in the house, and they all have to run Windows since that's what the standard monitoring software uses. So no Mac, no Linux, no smartphone, no iPad, no PS4, and I'd even keep a wireless-enabled printer away. And of course no computer-related sites of any kind.

This could possibly also mean that, if you live with your parents and are over 18 you will either have to remove any non-approved computers (and guns, drugs, obvious stuff like that) or even move out. In my case I couldn't work with anyone who has a federal record.

Preparation is key. Probation was not actually that horrible since I bought a shit ton of books and basically read all the time. I learned to cook like a boss, so find something that will keep you busy.

Full disclosure: Some of the "facts" here about my experience are blatantly made up, and others are changed slightly. I don't feel like writing an autobiography, and the experience is varied enough across the board that, even if I made this all up (and I am not saying I didn't), the specifics would not really matter anyway. The advice is all solid.
Assume that everything I say is or could be a lie.
19JAW6GabFHqe9yD9rr26QL3W3V2pNitbD
User avatar
Goatboy
Expert
Expert
 
Posts: 2863
Joined: Mon Jul 07, 2008 9:35 pm
Blog: View Blog (0)


Re: accidently pentested a financial site

Post by i404i on Wed Jun 04, 2014 5:31 am
([msg=81207]see Re: accidently pentested a financial site[/msg])

call225 you don't have to worry. Once I found an SQLi and couple of other vulnerabilities in a north Indian police website. Mailed them about the wide hole. Never got a reply. So just chill.
i404i
New User
New User
 
Posts: 7
Joined: Wed May 07, 2014 11:04 pm
Blog: View Blog (0)


Re: accidently pentested a financial site

Post by pretentious on Thu Jun 05, 2014 7:19 am
([msg=81224]see Re: accidently pentested a financial site[/msg])

Goatboy wrote:My advice if you do get caught: Immediately start to learn a skill that can get you a job where you never have to touch a computer. In all likelihood you will have extreme restrictions on computer use if you get to use one at all. If you do it will likely be monitored, and probably restricted to only job-related activities. In some cases they will say you can only have a certain amount of Internet-enabled devices in the house, and they all have to run Windows since that's what the standard monitoring software uses. So no Mac, no Linux, no smartphone, no iPad, no PS4, and I'd even keep a wireless-enabled printer away. And of course no computer-related sites of any kind.

I found it unbelievable when I first heard of the whole 'can't use a computer for x years' punishment. Especially in this day and age. Like imagine if you got told you couldn't use a knife to prepare food anymore because you've got a criminal record. The inner hacktivist comes out in me and i think. You don't know what I'm capable of and that just fucking terrifies you doesn't it.
Goatboy wrote:Oh, that's simple. All you need to do is dedicate many years of your life to studying security.

IF you feel like exchanging ASCII arrays, let me know ;)
Can you say brainwashing It's a non stop disco
User avatar
pretentious
Addict
Addict
 
Posts: 1189
Joined: Wed Mar 03, 2010 12:48 am
Blog: View Blog (0)


Next

Return to Ethics

Who is online

Users browsing this forum: No registered users and 0 guests