'Legacy System' Exposed Black Hat 2018 Attendees' Contact Info (techcrunch.com) 21
An anonymous reader quotes a report from TechCrunch: A "legacy system" was to blame for exposing the contact information of attendees of this year's Black Hat security conference. Colorado-based pen tester and security researcher who goes by the handle NinjaStyle said it would have taken about six hours to collect all the registered attendees' names, email and home addresses, company names and phone numbers from anyone who registered for the 2018 conference. In a blog post, he explained that he used a reader to access the data on his NFC-enabled conference badge, which stored his name in plaintext and other scrambled data. The badge also contained a web address to download BCard, a business card reader app. After decompiling the BCard app, the researcher found an API endpoint in its code, which he used to pull his own data from the server without any security checks. By enumerating and cycling through unique badge ID numbers, he was able to download a few hundred Black Hat attendee records from the server. The API was not rate limited either at all or enough to prevent the mass downloading of attendee records, the blog post said. The legacy system's API was disabled within a day of the disclosure. Black Hat said in a statement: "Thanks to them for disclosing this promptly and responsibly to our technology partner, who addressed the vulnerability immediately. We're working with our partner to ensure this isn't an issue in the future."
Nelson (Score:2)
Nelson Muntz says his regards.
Seriously, the irony...
Re: (Score:2)
Seriously, the irony...
Yeah, I'm sure there's no way this was deliberate for a third-party or three-letter agency to collect info.
BCard app (Score:2)
So, if I was to use the BCard app, what data would I have access to?
What? (Score:3)
What "legacy system" exactly was breached?
Sounds like just an unauthenticated API to me where the system in question will just happily give out data if you use the API correctly.
Re: (Score:2)
I thought "legacy system" meant the one you've had for at least a decade and are currently replacing, or the one you're intending to replace like real soon now, honestly, and are wrapping all sorts of wrappers around in the meantime as a temporay workaround, because yo dawg ...
But I did see a post once saying "We're developing a new legacy system ...", so maybe I'm wrong. Maybe it's a generic term for any system that the hiptarded fuckster writing the article doesn't understand the function of.
Re: (Score:2)
:)
Actually the one quote I saw years ago was:
"Legacy system, n: Something that just works."
Impressive (Score:3)
This story is actually awesome in several ways: First, the hack itself. Pretty impressive that a security hole that deep was discovered. The second awesome bit is that the security hole was disabled in a day. The third awesome thing about this story, the really incredible part, was that the hacker didn't go to jail or even get charged with multiple crimes!
Re: (Score:1)
Yet.
"Legacy" code for production (Score:1)
The longer I've worked in IT Operations the more I've come to realize the truth in this.
Re: (Score:1)
That's the way it goes. It's quicker to just use source code that mostly works than to write anything new. Then layer over layer of code gets built on top of each other. This goes on for a decade or more. Then it becomes too difficult to remove or replace various layers so it all becomes one monolithic system that can't be upgraded and tasks are marked as "will not fix".
Huh? (Score:2)
So, a vendor servicing a BLACK HAT conference had an API in place that would just return user data without any sort of authentication? And nobody in that company saw the problem?
Yeah, ok, let's call it "legacy" in some sort of attempt to shift blame to... I don't know who... the 80s maybe???