1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

So I found an exploit on this site...

Discussion in 'BlackHat Lounge' started by flyingspaghettitroll, Aug 19, 2008.

Thread Status:
Not open for further replies.
  1. flyingspaghettitroll

    flyingspaghettitroll Newbie

    Joined:
    Aug 13, 2008
    Messages:
    0
    Likes Received:
    0
    ... this is my first one, and I'm new to the hack for cash thing. The site has a virtual economy that, with some careful use, could be completely destroyed by this loophole for near unlimited currency. The site is also the biggest of its genre that hasn't been bought out by a major corporation yet, so it's about ready. Where should I go from here? How much money should I be asking for from the sites developer?
     
  2. bhnoobz

    bhnoobz BANNED BANNED

    Joined:
    Jul 26, 2008
    Messages:
    395
    Likes Received:
    107
    you're dumb.
    that's called extortion. this is a blackhat site, not an etard hacking site.
     
  3. flyingspaghettitroll

    flyingspaghettitroll Newbie

    Joined:
    Aug 13, 2008
    Messages:
    0
    Likes Received:
    0
    I'm not saying I'll ruin his economy. I'm saying that I can leave it be, or if he pays me for my work, I will point it out to him.
     
  4. vmedia

    vmedia Regular Member

    Joined:
    Feb 6, 2008
    Messages:
    239
    Likes Received:
    28
    pretty sure ppl have gone to prison for what you're proposing. good luck with that...
     
  5. flyingspaghettitroll

    flyingspaghettitroll Newbie

    Joined:
    Aug 13, 2008
    Messages:
    0
    Likes Received:
    0
    For not telling him? I'm not threatening him here, I just want to be compensated for my time.
     
  6. bhnoobz

    bhnoobz BANNED BANNED

    Joined:
    Jul 26, 2008
    Messages:
    395
    Likes Received:
    107
    Right.. So, what's your plan? Email them about a problem with their site then ask for money to disclose it? What would be their reason for paying? You should focus on creating something of your own instead of trying to extort money from developers.. :D
     
  7. TheInternetHustler

    TheInternetHustler Regular Member

    Joined:
    May 16, 2008
    Messages:
    484
    Likes Received:
    392
    I think it would be legit if you said something like: I have found so serious security risks on your website, I can help fix them for a fee...
     
  8. flyingspaghettitroll

    flyingspaghettitroll Newbie

    Joined:
    Aug 13, 2008
    Messages:
    0
    Likes Received:
    0
    Their reason for paying would be averting lost hours from someone else who figures it out and isn't so nice. It's the sort of hole that other people are going to find, I won't have to tell anyone. I'm not trying to extort anyone, it came out of trying to understand the structure of sites of its kind. I'm new and I wanted to see how some of his programing languages overlapped. That led to finding the insecurities.

    Hustler, that's sort of how I was going to put it. If someone told me I had an insecurity in my system right now, I would probably say "wow, really? I haven't even attempted to use linux yet. I would never have guessed" and if they didn't threaten me, or exploit my system, it would be acceptable. I would probably take a just a tiny bit of time (weekend long obsession... maybe disappear off the face of the earth for a week) trying to tighten security on my system, but I'm paranoid like that.
     
    Last edited: Aug 19, 2008
  9. flyingspaghettitroll

    flyingspaghettitroll Newbie

    Joined:
    Aug 13, 2008
    Messages:
    0
    Likes Received:
    0

    Thanks. It's nice to see a community worth posting on. I can't say I've agreed or disagreed with so many opinions at the same time, and actually seen some depth behind both sides.

    I was thinking of something along those lines; maybe ask them to forgive my past forum transgressions (Mr. hands is apparently not welcome on his site) and get a little bonus. My issue right now though, is making a bit of money. I'm not dieing, but I'm on a VERY tight budget. (why is a long, painful story that I won't get in to. Life happened.) This guy made his site by ripping off another one quite blatantly in most of the concepts. I'm kind of suspecting he'll be facing a lawsuit down the road. Basically I don't think I could do this out of the goodness of my heart, but I would do it to know that my rent is paid.
     
  10. nessa2shoes

    nessa2shoes Registered Member

    Joined:
    Jun 23, 2008
    Messages:
    83
    Likes Received:
    113
    Location:
    Melbourne, Australia
    Well, if I owned that business, I would LOVE to hear from you! Geez - you are averting potential disaster and offering to fix a yet-undiscovered security breach. What's so wrong with selling your expertise?? Go for it! The difference between a specialist consultant and an extortionist is all in the delivery.....any company would have to be mental to not hear you out..... :)
     
  11. vmedia

    vmedia Regular Member

    Joined:
    Feb 6, 2008
    Messages:
    239
    Likes Received:
    28
    pretty sure your "penetration testing" on their site could be construed a network intrusion. steep penalties here too.

    as a long shot you might be able to tell them you'd do a FREE network analysis for them and offer different levels of solutions. level A = broad description of the problem, level B = you give them specifics so they can hire someone else for x-dollars, level C = you take care of everything for x-dollars.

    I say free because i mean, who turns down something that's free, right? i always take a piece of chicken from the oriental guy handing out the samples at the mall...

    still risky though.
     
    • Thanks Thanks x 1
  12. dogdog

    dogdog Regular Member

    Joined:
    Apr 17, 2008
    Messages:
    245
    Likes Received:
    54
    Location:
    Online
    If you tell someone: "hey I know how to steal $ from your house, security is not tight." Then one day, the guy really lost his money. Who he will think the thief is? You will be the primary suspect.
     
  13. flyingspaghettitroll

    flyingspaghettitroll Newbie

    Joined:
    Aug 13, 2008
    Messages:
    0
    Likes Received:
    0
    I like the idea with your network analysis, vmedia. Though I wouldn't say I was being that intrusive. All I did was look at some unencrypted client-side code, then used a custom-made URL in my browser to fake some variables to their php server. I sort of feel like a n00b just describing it. I altered the in-game economy by what would be the equivalent of two minutes effort, just to test it. Essentially I spent more time figuring out which variables to declare than I would have making the money that I took. Is this enough to be taken seriously in court? I honestly don't know what the law makers are passing down as 'malicious' when it comes to something like this.

    Donor, I haven't even proxied my self while doing this work, besides staying behind a router and changing my MAC/ip every now and then to look at how the site handles log-ins. He could pull up my ISP's server logs and I wouldn't worry much. If he subpoenaed my computer well... i think all of us wonder at times if RIAA would start prosecuting for having an mp3 player, but he wouldn't find anything.
     
    Last edited: Aug 19, 2008
  14. vmedia

    vmedia Regular Member

    Joined:
    Feb 6, 2008
    Messages:
    239
    Likes Received:
    28
    here are just two examples of why you should re-think doing something like this. The net is littered with more examples so overall I don't think it's a recipe for success...


    http://www.businessweek.com/bwdaily/dnflash/aug2000/nf20000822_308.htm

    Cyber-Extortion: When Data Is Held Hostage Here's an issue facing more and more e-businesses -- malicious hackers who demand a payoff to keep their security breaches secret


    also from the FBI....


    [FONT=Arial, Helvetica, sans-serif]Intrusion/Extortion[/FONT]

    [FONT=Arial, Helvetica, sans-serif]The Washington Post obtained information that Forensic Tec Solutions, a computer security consulting company, illegally entered confidential government and business computers. The consultants purportedly entered these systems to notify victims of system vulnerability problems, gain exposure/publicity and subsequently offered to protect the systems for a fee. [/FONT]​

    http://www.fbi.gov/cyber/cysweep/cysweep1.htm
     
  15. flyingspaghettitroll

    flyingspaghettitroll Newbie

    Joined:
    Aug 13, 2008
    Messages:
    0
    Likes Received:
    0
    I read both the articles vmedia, scanning for the relative parts on the second. I guess for me the head scratcher is the definition of "intrusion" and how it relates to what I'm doing. Was sending altered values that changed my player account an intrusion? If so, was it enough of an intrusion to be taken seriously? I don't think i elicited anything that could be considered private or guarded information.
     
  16. bhnoobz

    bhnoobz BANNED BANNED

    Joined:
    Jul 26, 2008
    Messages:
    395
    Likes Received:
    107
    Basically you gained more access to a system than you were allowed.

    Code:
    http://www.law.cornell.edu/uscode/search/display.html?terms=computer&url=/uscode/html/uscode18/usc_sec_18_00001030----000-.html
    Read, enjoy. As I said before, channel your energy and knowledge into something creative. Let someone else get in trouble for fucking with some lame game site...
     
  17. bargain

    bargain Junior Member

    Joined:
    Apr 21, 2007
    Messages:
    139
    Likes Received:
    3
    this happens all the time, and i dont think it is extortion. i know banks pay for info on vulnerabilities. it really depends on whether or not you threaten them. if you dont then this is ok IMO.
     
  18. bhnoobz

    bhnoobz BANNED BANNED

    Joined:
    Jul 26, 2008
    Messages:
    395
    Likes Received:
    107
    You would think that way. All it takes is asshat to notice your 'intrusion' call feds and 'prove' 5k in losses.. Hiring a team of monkeys to fix your intrusion could cost more than 5k.. How much money do you expect to get ? 200$? 500$? Seriously not worth it..... I'm done.
     
  19. bargain

    bargain Junior Member

    Joined:
    Apr 21, 2007
    Messages:
    139
    Likes Received:
    3
    there was a case where a guy had worked out how to make debit cards that would trick atms into giving money. he told the bank and they ignored him thinking he is lying. he then withdrew $100 and sent them the receipt as evidence. they then arrested him because he had fraudulently stolen money from them.

    my point - until you do anyhting that breaks the law i think you are ok and are actually *helping* them. if you do anything illegal including - illegaly accessing a system, blackmailing (making threats), theft etc. then you are crossing the line and will get what is coming.
     
  20. flyingspaghettitroll

    flyingspaghettitroll Newbie

    Joined:
    Aug 13, 2008
    Messages:
    0
    Likes Received:
    0
    By that rationality couldn't I say that my inbox wasn't intended to be used for spam? And if i blew 5k in lawyers, couldn't i sue anyone in site who sends me "all natural viagra" e-mail? I'm assuming of course that I could track said hypothetical person. I'm hoping I can survive for another month- I wasn't about to ask for more than $500. I'm betting most people would rather opt for 1/10th of their money, or to ignore the problem. Besides that, I'm sitting in Canada, dealing with servers in the UK. Anyone know which countries laws I should be digging in to? (AKA where would they be filing a lawsuit against my ass?)

    I can honestly say I didn't expect to see two such different opinions about what I would think to be a common topic. I'm pleasantly surprised as I have trouble feeling secure about any group giving me a definite answer.
     
Thread Status:
Not open for further replies.