Silvan Michael Gebhardt bio photo

Silvan Michael Gebhardt

Unternehmer, Informatiker, Network Operator

Twitter LinkedIn

as the readers of this Website might have noticed, I was recently in Berlin at the CCC Congress. I had the chance to meet several Hackers which are really awesome skilled in getting informations out of the Web you might not expect.

Eager to try that out myself, I found some Websites in the Web, that show some information you should not see.
Anyone here that knows about SQL Ledger? I suppose not that many. SQL Ledger is a webbased Tool which is a complete CRM - means you can manage the clients contact info and their invoices and your stock of products inside that.

Second, we got a Webhosting company. I do not have any relationship to them, neither did I know them before. All I did was a Google Query that someone showed me at the congress_

Then I found out this:
bild-1

What went wrong here?

  • I got Full Rights on the Database server - I could erase or create or change anything - e.g I can mark an invoice as unpaid and let them have fun resolve the issue
  • I got a full List of Credit Card Expiry Dates and Names
  • I got a Adress List of the referring People
  • If I setup SQL ledger myself and Bruteforce the Creditcard information, I can get good information and buy me what I want

Why did that go wrong?

  • Thou shall setup Mysql on a Public Server without a Password
  • Thou shall not setup your customer information System on a HTTP Connection (did not the trick here, but it is a “FAIL” too)
  • Thou shall not allow google to index your unsecured phpmyadmin! Use robots.txt wisely!

I will contact the Hosting company that has this security flaw and will post any updates if they dont react - I have the power to even dump their SQL Files and do whatever I want with it. Imagine to combined that with DNS Poisoning and I could get their Clients to login to MY rogue CRM System and give them fake invoices with my Account information instead so I get the money.
This - I could even do that on the existing System. Do YOU frequently check on your client invoices noone did modify the bank account number? I suppose not!

Do you know if your system is safe? You can have me have a look at it. I work with a Team of skilled People experienced in finding security holes in Webapps and infrastructure.