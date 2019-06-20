from the with-"Friends"-like-these... dept.
We’re fans of haveibeenpwned.com around here, but a weird story came across my proverbial desk this week — [Troy Hunt] wrote a malicious SQL injection into one of their emails! That attack string was a simple ';--
Wait, doesn’t that look familiar? You remember the header on the haveibeenpwned web page? Yeah, it’s ';--have i been pwned?. It’s a clever in-joke about SQL injection that’s part of the company’s brand. An automated announcement was sent out to a company that happened to use the GLPI[*] service desk software. That company, which shall not be named for reasons that are about to become obvious, was running a slightly out-of-date install of GLPI. That email generated an automated support ticket, which started out with the magic collection of symbols. When a tech self-assigned the ticket, the SQL injection bug was triggered, and their entire ticket database was wiped out. The story ends happily, thanks to a good backup, and the company learned a valuable lesson.
[...] Modern security and privacy tools like Tor and the Tails distribution are amazing and potentially extremely useful. Journalists, protesters, and even whistleblowers find legitimate use for the tool set. However, Every once in a while a story forces us to look straight into the ugly face of the dark side of the net. In this case, it’s a predator that used Tor to stalk and harass teenage girls on Facebook, and extort compromising photographs out of them.
The reason we’re talking about this case is that Facebook went to the extreme of hiring a security firm to develop an exploit specifically for their anonymous stalker. They found a zero-day in the Tails video player, and developed a full de-anonymyzing attack. Facebook then handed the attack over to the FBI, who used it to finally catch Buster Hernandez.
It’s still unknown what the zero-day exploit was precisely, as disclosure never happened. Apparently the flaw was eventually removed from Tails through the process of normal updates, and never publicly identified as a vulnerability. It’s not entirely clear how long the FBI was in possession of the tool before the flaw was patched. It’s reasonable to suspect that it was used in other cases, though it’s not likely we’ll find out any time soon.
Was Facebook right to go to such extreme lengths to help capture a criminal who was abusing their platform?
GLPI (acronym: French: Gestionnaire Libre de Parc Informatique, or "Open Source IT Equipment Manager" in English)[2] is an open source IT Asset Management, issue tracking system and service desk system. This software is written in PHP and distributed under the GNU General Public License.