[AusNOG] ABC Website Hacked

Tim March march.tim at gmail.com
Wed Feb 27 14:18:14 EST 2013


Chooo chooo! Here comes the pwnage express...

Not really a huge surprise to the security punters, I guess. Another 
complicated site with insufficient security control gets owned. It is 
what it is. I incidentally spot gapers in sites all the time and just 
don't bother mentioning them any more because the response is normally 
so lacklustre...

For example; I noticed a forum skid hitting and posing XSS in a bunch of 
.au car manufacturer sites a while back. It was obvious they were 
gearing up for a phishing attack against those domains. I notified four 
manufacturers, only one took the time to get back to me and none of them 
fixed the issue within 6 months.

For the curious among you; there's a a GAPING SQLi in another major 
media organisation that you can trivially find with a Google dork. I'll 
send a 6-pack of beer to anyone who identifies it by COB =)

I haven't looked at the dump but I won't be surprised if the passwords 
are trivially decryptable if they're encrypted at all. 1Password is your 
friend.



T.

On 27/02/13 1:41 PM, Pinkerton, Eric wrote:
> You may or may not have heard that a section of the abc.net.au website was compromised and a database leak was today posted online. It's not in the mainstream media yet, but it's all over Twitter originating from some Anonymous-related profiles. Contained within the leak are email addresses and hashed passwords, amongst a number of other less important fields.
>
> ABC are still "confirming" that it occurred, but the extensive number of legitimate email addresses (~50,000) contained within the leak makes it hard to dispute.
>
> http://pastebin.com/J3ceSWMw
>
> _______________________________________________
> AusNOG mailing list
> AusNOG at lists.ausnog.net
> http://lists.ausnog.net/mailman/listinfo/ausnog
>




More information about the AusNOG mailing list