The story of a little hacking, or an adequate bugbound of a local Internet provider

Introduction

Good day, friends. This small hacking story happened to me in the middle of August of this 18th year. The story began in a small town in the Krasnodar Territory, with a tyrnet bad, there is 4g but this is all wrong, here in the countryside one could only dream of wires. And just recently this miracle happened, wires were sent to my area, and I immediately ran to connect 100 Mbps over fiber, 8k for connecting with the tariff.

Curiosity

Joy full pants, good tyrnet, small local provider, lx it corresponds to the status of a local provider, out of curiosity, I rummaged through lx, looked at what subdomains there were, and I found a subdomain admin.domain_provider.com / who immediately threw on the login form login. php, F12, opened looked up there, looked at js, there were interesting links in ajax requests "/? user_id =" + id, just copying the link and typing a random number, I threw out the user data in the table:

Passport number / number
Issued by
Date of issue
Name,
address,
phone number
Login (from tyrnet)

“Oh, I can't be,” I stuck the library into head jq, I spent 5 minutes writing ajax request in a loop and spitting it out into the body of the page, outputting 21,000 entries.

Quickly ctrl + f, drove his name, and yes I was there. My surprise, i.e. freely available hung user data. I looked at the rest of the links in ajax requests, there was a lot of everything, for some control of switches, for some reloads of something, because it was hard to understand what was responsible for what, I was not so interested.

It was already late, I thought, “thats developed doodles screwed up,” and went to bed.

On the trail. I began to think about the day, it’s not like all the jokes, and I can be held criminally liable for it, but in our country they put up reposts. Worth noting I didn’t plan to do anything like that, otherwise I would have secured myself with vpn / proxy. And on the other hand, if they leave such holes, they are unlikely to look at the logs. And on the third hand, it is better if I tell them what they will find my tracks, and then they will not talk to me for sure.

Point played

I google on Habré the name of the organization, I find the organization, with a few turnips, there is nothing interesting in them, I’m looking at who is in this organization, I google again, I find the developers in VK. I am writing: “Hello, and why are 21,000 users registered with all their data publicly available?”. He writes that he informed the head. Ok, I think I did my job.

Payback for curiosity

I woke up at about 10 o'clock in the morning, I had to work, I was front-facing. Knocking at the gate, looking out the window, looking at the little red machine, 3 people, I recognize one of the developers from the pictures, I think everything, and I saved everything, just like the html page on the desktop, quickly shift + del> confirm , take I take a cigarette, take a cigarette, go, I think, now it will be fun, I smoke, I go out.

- Hello
- Hello
- I understand that you understand where we come from
- Yes, I already understood - I am puffing up smoke
- I want to pardon you (shows the phone) I am recording the conversation
- Good
- You downloaded our database yesterday
- No, I did not download, I found vulnerability, and informed you.
- Our IT specialists have the data that you downloaded this base
- This is impossible, you can only see that I looked at it
- We are determined to solve it quietly, our IT specialists can make sure that you have not saved it?
- In principle, yes, do you want to go pick up a sistemnik or do I have everything to check in my house?
IT specialist says:
- Better if we take a sistemnik and check in the office
- Well.

Here you can argue with my decision, on the one hand, you are who I have not downloaded, go do not interfere, I will not give my sistemnik, and that you are me prove, on the other hand, it is dangerous, I'd rather talk to them than to the police. They can be understood, they are crap from the sesyurity, they have the right to be convinced. I made the decision to talk to them better.

We go home with them, cut down a sistemnik, pull jeans, sneakers, go to the office, get out of the car, go all together to the director. Different questions, why did you do it, why, how did you do it, I told them that their base hung in the public domain, and anyone could do it. We talked, we are going to check the sistemnik, these experts checked the bugs, looked at the basket, downloaded the prog, searched for keywords, did I offer them another phone to check? I could save on the phone, on a flash drive, and the clouds? I could save in Google Drive. In general, they looked for a tick, I watched and hoped that they would not guess to download some kind of data recovery prog, and see what was removed. (a question in comments, and with ssd the data is also easily restored as well as from hard?)

Epilogue

I sat for 2 hours watching their attempts. I took the sistemnik, went with the lawyer to the director, suggested that I sign an agreement on which I was allegedly hired retroactively to search for vulnerabilities in their system, they say but we will not pay you (I read the agreement before signing (but ask for a copy guessed)), we will give you a year of free internet as payment, ok. They took me home.

As my colleague later noted, it’s good that a year of free Internet and not a year is conditional. 1500 is worth a month of unlimited, multiply by 12, so much I had in my account in lx, when I returned home and checked. I lean back on the chair, exhale.