Bill Ryan's Other Blog

I just got this email and would have asked his permission to post it, but I can’t do that.  Clearly this is the work of Ebaumsworld and no one else.  Since I’ve been following this thing, pretty much everything he says is true and confirmable and for the few things I didn’t happen to personally see, I believe this man knows what he talks about:

It doesn’t matter if Singles.org changed the passwords. The huge list of passwords and emails is already taken, and are being used on PayPals, Yahoo, Myspace, Failbook, etc. Singles.org is not the target anymore, just an enabler.

The amount of Ruination and Win produced in this operation is retarded, hahaha we’ve broken off marriages/engagements, got some guy to drive 5 hours to kick open this girls door, thinking she was dying from an overdose on pills. Countless families think their child is suicidal/gay/aids/hiv/etc.

There was one email we have, that contained emails to/from a Father and his Daughter that were… NSFW to say the least.

I forsee this hitting faux newz, because this is affecting people from everywhere. I’ve been into a woman’s account that lives in Africa.
This is global – We have Anons from around the world.
This is Anonymous.
We don’t forgive.
We don’t forget.
Expect us. – You know the deal, a security hole like this would never escape the wrath of Anonymous.

http://singles.org/admin
It’s either that or
http://singles.org/cgibin/admin

Long story short, the password for that is ‘****’.
4 digits.
I’ve seen all there is to see on that website, in all of its directories. We’ve dug up everything.

 We even have the root password to the box, but that is very illegal, and do not want to go about that. Simply taking the encrypted string ( Which was pathetic, DES-crypto) and decrypting it is not a crime- Rooting a box is.

 They deserve this, for false advertising, and personally allowing the world to fuck over their customers. They have lied, I hope the creators of the site aren’t christians too – That just gives them a bad name, and highly goes against the stereotype.

    And, it’s always for the lulz.

 And yes, I know you can get my IP from this. I’ve known of this blog for about a day and a half now. I’m on a public internet source, so don’t bother looking at the logs.
Oh yeah, speaking of logs, the size of the access log on Singles.org is a staggering 870 Megabytes. Retarded, hahah.

PS. Operation Jesus = A good percentage of the passwords stripped from Singles.org were ‘jesus’ or something related. ‘*j*e*s*u*s*’.

(:

:~# -X-

There’s no doubt Operation Jesus was epic.  There’s no dout the 1u1z were epic (although that line got crossed fast).  There’s no doubt about any of it.  In most cases, the damage that was done will be undone and people will be able to clear their names.  The financial stuff was beyond the pale IMHO and there’s really no excuse for that.  It’s just  a shame that the people who deserve to be hurt by this the worst aren’t going to be.  The bastards that run Singles.org couldn’t have handled this any worse.  Not only did they let it blow up and continue to (there server is still wide open), they didn’t warn their members when they could have – a time at which the damage would have been largely prevented.  They sat around and did squat.  Then a day later they made up a Phoney excuse and changed some passwords.  Did they warn their users what was happening to their personal information?  No.  Did they tell them how it was being used? No. DId they tell them to check their financial accounts?  No.  They just lied about what happened and let the damage get done.  Hell, I still don’t think “Frank’s” email account even maps back to anything.

The folks running Singles.org should be sued out of existence for every bit of this – they let it happen, they sat by worrying more about their reputation (and have you seen their site?  WTF) while Rome burned.  There’s not enough scorn in the world for the Singles.org owners, oh yah, and uhhh,  Ebaumsworld.

Originally posted at http://www.msmvps.com/WilliamRyan

[tags] Singles.org, db.singles.org, 4Chan, 4-chan, Lulz, Operation Jesus, Hacking, Bill Ryan, William Ryan  [/tags]

This place is beyond low.  countless email accounts have been breached, several facebook pages, several paypal accounts and much more.  As of last night, if was in full free for all mode as more vulnerabilities were found (although vulnerability is a bit of an understatement – more like Stuff some lazy programmer couldn’t be bothered with).  This is their mea culpa:

Originally posted at http://www.msmvps.com/WilliamRyan

[tags] Singles.org, db.singles.org, 4Chan, 4-chan, Lulz, Operation Jesus, Hacking, Bill Ryan, William Ryan  [/tags]

At this point, seeing how pathetic Singles.org is resonding to this, they deserve everything they get. This is all kinda epic except real people are getting hurt.  They aren’t the ones paying for it, well, at least until now.  I’ll post screen caps (very NSFW) shortly of just some of the work.  But I guess the geniuses at Singles.org weren’t content to just expose their members to hell yesterday, they decided to do it again today.  Yep, more insecurity.  The server is being pwned as we speak and well, it’s ugly. I mean really ugly.  Well, it was gonna be ugly:

HEY IDIOTS
HEY IDIOTS
HEY IDIOTS
HEY IDIOTS
HEY IDIOTS
HEY IDIOTS
HEY IDIOTS
HEY IDIOTS
HEY IDIOTS
HEY IDIOTS
HEY IDIOTSHEY IDIOTS

someone rm’d the whole directory. do you know what that means, faggot? it means all files in the directory are gone. ie, http://db.singles.org/images/ no longer has any files in it, so no more shell commands can be run

SHOWS OVER. GO HOME. NOTHING MORE CAN BE DONE.

-Well, never mind, it appears the directory is being rebuilt  This is going on RT and it’s there for everyone to see plain as day. You’d think the admin of this site might actually bother to watch it

Originally posted at http://www.msmvps.com/WilliamRyan

[tags] Singles.org, db.singles.org, 4Chan, 4-chan, Lulz, Operation Jesus, Hacking, Bill Ryan, William Ryan  [/tags]

Well, I’ve recieved a few comments and emails about this and things are just getting worse.  As of 7:38 AM 02.23.2009 they still haven’t put anything on their site indicating anything even happened.  Email is clearly not a valid option b/c of the nature of the breach (although it’s still worth trying).

I realized something and went to check it and the story gets worse.  On their homepage, there are two Galleries, one for men, one for women. The galleries are pictures of the members.  There are several missing images – many of which weren’t missing yesterday at the onset of this. I can only hope it’s b/c people found out their accounts were breached, noticed the defacements and either removed the substituted pictures or removed their own picture – hopefully it’s b/c they closed their accounts (which is what I recommended they do for each person I contacted).  I don’t want to make the problem worse but there’s a important point to be made here.

Yesterday I noted that all that was needed to access an account was simply to change the 5 digit account number associated with it in the query string.  Well, for each member of the gallery, they have a four letter abbreviation and then the account number.  If there was any doubt who owned what account or you wanted to get a list of valid account holders, you could go straight to the gallery.  If your profile had cscp10000 as the account in the querystring, and you see another member in the gallery who had cscp10001 listed, it wouldn’t take much brain power to realize that 10001 was definitely their account information.  It’s very likely I’m not the only one to catch this.  What this would allow you to do is basically scrape for account numbers that you knew were active and valid (as opposed to the loop/substitution approach I used which results in many dead accounts).  Why on earth would putting information like this be of any value to anyone other than a lazy programmer?  You can’t identify me in any way by cscp10000 other than on this site. I could at least see if it had first names or something like that, but this had the exact value to inject into the querystring to get to the updatable account page.

Many of these people are widows. Many are older folks. Many are quite young.  The demographics were pretty broad.  But b/c of the nature of the site, I’m sure most had some degree of confidence in the integrity of the company (I don’t).  As of this writing, many of these folks probably haven’t been notified and even if attempts were  made, once their email accounts were breached, emails wouldn’t be of much good.  Singles.org obviously updated their site b/c the exploit doesn’t appear to work anymore, how hard would it have been to update a paragraph’s worth of HTML to notify people that this happened?  Would you want to know something like this before signing up with a site?  I damn sure would and I’m sure anyone else would too.  But as of the time of writing, this is what you see when you go to their homepage:

They sure didn’t overlook a single thing when it came to advertising did they?  Too bad they didn’t care as much about security of their member’s information.  Too bad they still don’t care about it.

Perhaps the saddest part of all of this is that unless they notify members of what happened and explain to them all the likely ramifications, some members will have their money stolen and have all sorts of hell brought upon them and they’ll never even know it.  They may not even put 2 and 2 together… after all, how would you unless you happen to find out by some other means.

Well, I’m in the process of speaking to counsel about me contacting each person via the emails I have. I don’t want sued and don’t need hassled for spamming anyone but it doesn’t look like db.singles.org is going to step up.  BTW, you’ll notice their claim of 30,000 members.  I’m not calling them liars and don’t know how they claim that number, but I can assure you there isn’t near that many accounts, or weren’t as of last night when this all happened.

Originally posted at http://www.msmvps.com/WilliamRyan

[tags] Singles.org, db.singles.org, 4Chan, 4-chan, Lulz, Operation Jesus, Hacking, Bill Ryan, William Ryan  [/tags]

I was hesitant to write about this b/c I’ve been threatened pretty seriously about my role in it.  But it’s important for people to understand a few things about the state of security today.  What occurred was so pathetic, the result of such rampant incompetence that it’s in a word, Criminal.

Singles.org is a dating site ostensibly for Christians.  They boast over 30,000 members and while I have strong reason to doubt that claim (explained shortly), they do have a lot of members.

Earlier this afternoon I was surfing and saw a thread about a security flaw that was found. B/c it appears to be closed now, it’s ok to talk about.  This site used querystring parameters to identify a user and the mode the page displayed in.  So someone noticed that you could put it in edit mode without having to be authenticated.  There were 6 digit account numbers so you could just randomly switch them and get into someone else’s account and update it.  Querystring injection is something I would never dreamed to have still be possible in 2009, but low and behold, it is.

I went to the link and saw serious defacing already. I put in a few numbers of my own and each page had been hacked.  What’s worse though is that each page had the Person’s password in plaintext and their email.  You know where this is going.

So people started modifying profiles which was I have to admit, a little funny. But things got ugly fast. People realized that they could try the email account listed and password in case the folks used the same passwords and well, the results were predictable.

I sent out some warnings to these people but realized there was no way I was going to make much of a difference.

About this time people started going through Friend lists and emails and sending out mass emails that were crazy, pretending to be the given person.  The stuff would come off as totally real and in most cases, pretty offensive.

I wrote a program to go through and harvest the emails as quickly as possible and was going to shoot out a mass email. Not trying to ruin anyone’s fun but this was getting serious.  Like a dummy, I used my own email account to do it (I’ll explain WHY I did something this stupid shortly).

As my program was running, the threats started coming in.  People were raiding the user’s accounts and as they did, they were reading my warnings.  The “I’m going to make your White Knight Life F*cking hell you bastard” emails started coming in.  Agent R. if you’re reading this, I’ll reiterate, I WAS BEING ATTACKED FOR BEING A WHITE KNIGHT IN THIS. There are some really stupid people at ICE so I need to make sure there’s no confusion here about what I did.

My program was slow and i had to run through the results with a regex afterward to get all the email addresses and I got more threats.  Crap!

As I was reading this stuff, I was watching the progress.  Folks realized that many people use one address for Facebook and likely use the same password. And they were right. So they were no raiding Facebook accounts doing the same stuff.

The natural progression was to try Paypal.  And yep, same results.  I’m thinking “Great, I just spidered the whole freaking site in the middle of this, guess I’ll be talking to a special computer crime investigator AGAIN for the zillionth time in my life.”

Additionally, while people were sending out fake emails and raiding Paypal accounts, many were suggesting these people stop. Not out of altruism but b/c it’ll let the cat out of the bag. They advocated holding on to this stuff, covertly changing Challenge questions and using it some day in the future for ‘real’ stuff.

The saddest part of all of this was probably that the email for Singles.org bounced. csc@tampabay.rr.com apparently isn’t operational (so much for their claims about Frank the support guy http://www.singles.org/html/customer_support.htm and their live support).  Well, no that’s not the saddest  The saddest is that in 2009, such an exploit can exist.

Seriously, once I saw this, it took me exactly 7 minutes to write a program that could walk the whole site and harvest the emails.  7 Minutes.  It’s not the most elegant code but it worked.  So let’s say I found this exploit on my own. I could have written the program, and extracted Password and Email account pairs.  That would take about 10 minutes to write a program to attempt a login for each one and report back which ones were matches and which weren’t.  From there, a lot of really evil stuff could have been done.  I’m not a network developer and am pretty weak there.  Imagine what someone with real skillz could have done?

Lesson to be learned.. don’t use the same password for multiple accounts.  Get PasswordSafe for God’s sake and be done with such problems. Additionally, use throw away email accounts for stuff like, dating sites and well, everything else too – it’s not just no talent dating sites that have flaws that get exploited.  Use strong passwords – personally, I stopped using passwords under 15 characters a while ago.  Additionally, think really hard about co-mingling work and personal emails.  One of the people had some seriously bad stuff done to them (‘they’ wrote their boss and coworkers an ‘email’ that would certainly result in termination if they can’t prove it’s done by someone else).

This will be interesting…

UPDATE:  (02.23.09) – A commenter pointed out that the problem wasn’t ‘fixed’ at all  and his/her point is absolutely valid.  db.singles.org did in fact ‘fix’ the bug but what that did was simply stop some of the bleeding.  I know if I could write a program that quickly to get all that info, it’s almost certain someone with different motives did the same.   Anyone who’s email/facebook/paypal was already comprimised isn’t helped one bit by having the hole closed b/c the damage is already done.  I was contacted by one of the people who I sent a warning email to and as of last night at 11:16 PM EDT, db.singles.org did not send out any notification that the breach happened nor did they warn people about what other problems could have happened to them personally as a result of the breach (according to the member I spoke with).  This is shameful.  I can understand why a company might not want to tell their entire customer base something like this happened, but that’s the price you pay for screwing up like this in the first place.  Do I think db.singles.org should go out of business over this?  Well, I think they need to make this right completely and in many ways, that’s not possible.  The embarassment some people are experiencing by having really plausible sounding emails go out in their names is pretty hard to account for.  Sure, that’s not 100% db.singles.org’s fault (they would likely argue if the users didn’t use the same password they wouldn’t have this problem, but the same could be said in reverse, if db.singles.org didn’t screw up in the first place, these people wouldn’t be in the fix they are in).  I do think db.singles.org should put a notice on their front page and send every user an email (as I found out the hard way though, sending out an email may not result in users getting those emails if their accounts are already breached) letting them know what happened and the extent of it.  The breach was bad enough, but having your credit card and paypal info all over the internet is something altogether worse).

Originally posted at http://www.msmvps.com/WilliamRyan

[tags] Singles.org, db.singles.org, 4Chan, 4-chan, Lulz, Operation Jesus, Hacking, Bill Ryan, William Ryan  [/tags]

I myself have engaged in this silliness (signing as President Bush, Osama Bin Laden or Eric Cartman) but nothing This funny