Це відео не доступне.
Перепрошуємо.

The Moonpig Bug: How 3,000,000 Customers' Details Were Exposed

Поділитися
Вставка
  • Опубліковано 5 січ 2015
  • It's been all over the British news today: developer Paul Price found a bug in photo-crap-maker Moonpig's site, one that might have exposed three million users' personal information. Paul's got a great technical post about it at www.darkport.c... -- but there's no decent non-techie explanation except for the one-paragraph summaries in newspapers. It was a perfect storm of tech incompetence: here's how to avoid doing it yourself.

КОМЕНТАРІ • 939

  • @sxa555
    @sxa555 9 років тому +3821

    I'm really hoping that the term "moonpigging" becomes a term for companies that give a vague "Your security is important to us" message. Next time I get one (on twitter) I'm RT'ing it with a message "I'VE BEEN MOONPIGGED"

    • @thejay8963
      @thejay8963 6 років тому +174

      sxa555
      Moonpigging
      Mün-pig-ing
      When a Company lies about internet security by making false claims of security that stated company does not have.

    • @techheck3358
      @techheck3358 5 років тому +154

      Tom Lake Charles
      Moonpigging
      /muːn/pɪɡ/ɪŋ/
      verb *VULGAR SLANG • ENGLISH*
      1. When a company makes a very
      specific denial of a security bug
      “I was moonpigged”
      _synonyms:_ disgrace, dishonour,
      disrespect

    • @hencytjoe
      @hencytjoe 5 років тому +50

      I hereby take the liberty of claiming this term as a valid choice of expression for the aforementioned reason.

    • @richardmillhousenixon
      @richardmillhousenixon 4 роки тому +1

      @Kanashimi You can do that with Google Home

    • @qqqalo
      @qqqalo 4 роки тому +12

      When someone claims to care about your data it means they want to sell it and couldn't care less about it.

  • @s6th795
    @s6th795 7 років тому +6974

    Rule #1 of database design: All user input is evil. No exceptions.

    • @AshtonSnapp
      @AshtonSnapp 5 років тому +345

      What if the user input causes an exception?

    • @tiny_toilet
      @tiny_toilet 5 років тому +499

      @@AshtonSnapp See Rule #1.

    • @Tobias-nv3dx
      @Tobias-nv3dx 5 років тому +103

      @@AshtonSnapp I laughed way to hard at this ...

    • @AshtonSnapp
      @AshtonSnapp 5 років тому +32

      Tob ias I’m glad to know that :D you have an awesome day

    • @KnakuanaRka
      @KnakuanaRka 4 роки тому +19

      Or at least treat all user input as possibly malicious.

  • @SorryBones
    @SorryBones 4 роки тому +673

    “If they respond I’ll put it in the description”
    ...a half decade waiting list huh? They must be very very busy

  • @aliabdaal
    @aliabdaal 4 роки тому +3631

    Wish I’d mined bitcoin in 2015

    • @distantt
      @distantt 3 роки тому +13

      I wonder how it works

    • @hgu
      @hgu 3 роки тому

      Rip

    • @lukasvavrich3349
      @lukasvavrich3349 3 роки тому +302

      I did. And i forgot about it. And now there is a bitcoin wallet somewhere on the internet with $800 000 that i can't access. RIP me.

    • @distantt
      @distantt 3 роки тому +40

      @@lukasvavrich3349 rip you

    • @youngclueless7364
      @youngclueless7364 3 роки тому +2

      Ik ur cousin

  • @petartodorov9202
    @petartodorov9202 5 років тому +2300

    231 weeks since this video was uploaded. Tom hasn't updated the video description with moonpig's response yet...

    • @JackTheGamingGuy4REALZ
      @JackTheGamingGuy4REALZ 4 роки тому +137

      5 years no update

    • @taylor1991
      @taylor1991 4 роки тому +13

      Does anyone care, doesnt have to be impartial or balanced

    • @butikikisame2548
      @butikikisame2548 4 роки тому +146

      I don't think Moonpig responded at all. I can't find any article after Moonpig's initial public response.

    • @IvanLDiaz
      @IvanLDiaz 4 роки тому +50

      September 9th, 2020. Pandemmial here. Tom still doesn't get a reply.

    • @addisonchan3053
      @addisonchan3053 4 роки тому +43

      @@IvanLDiaz Someone seeing the word pandemmial 50-100yrs onward would sound like some trend name or something.

  • @LeftRight1511
    @LeftRight1511 8 років тому +739

    The notion that people still don't "code like they're being attacked" astounds me. One of the first formal courses I took in programming, the lecturer made it very clear we understood the notion and importance of defensive programming.

    • @ktcd1172
      @ktcd1172 7 років тому +36

      Some of us are Old School Programmers. Way back in the day the only kind of real hacking that needed to be worried about was some student coding something that would walk a printer across the room until it pulled the plug from the wall shutting it down until you could get engineers into the facility and haul it back into place and reset the equipment with the system. Security was maintained with locks on the doors and ID checks on personnel allowed into the locations with terminals.

    • @Toothily
      @Toothily 4 роки тому +12

      @@ktcd1172 okay boomer

    • @WildBluntHickok
      @WildBluntHickok 4 роки тому +30

      @@Toothily Nice to see someone using the word boomer correctly. I'm from the generation after the boomers and what he's talking about would've been when I was a kid in the 80s.

    • @nichm7318
      @nichm7318 3 роки тому +1

      @@WildBluntHickok o k b ö m e r

    • @doomse150
      @doomse150 2 роки тому +2

      Or you could just start using a high level web framework, since the people designing those usually know what they are doing way better than you do

  • @AwesomeMinecraftersakuraodomMC
    @AwesomeMinecraftersakuraodomMC 8 років тому +9338

    I cringed so hard when he said that Moonpig decided to use consecutive IDs. I think I'm finally becoming a computer nerd

    • @kristiansvendsen6906
      @kristiansvendsen6906 7 років тому +120

      Nope just a weaboo

    • @froidesprit
      @froidesprit 7 років тому +365

      Nah, definitely a computer nerd. I cringed too, and I am the most anti-anime person alive.

    • @TheHaughtsauce
      @TheHaughtsauce 6 років тому +228

      There is nothing wrong with consecutive IDs. If you think consecutive ids are a problem, it is actually a symptom of a much larger authentication/authorization issue

    • @CrazyConnor2
      @CrazyConnor2 5 років тому +1

      Same XD

    • @undead890
      @undead890 5 років тому +258

      Consecutive ID's aren't the problem, as long as they are only used on the backend and no one ever sees them.

  • @erictaylor5462
    @erictaylor5462 8 років тому +1315

    I found a security hole in a courthouse. I had Jury Duty so was going to the court house every day. I also have a fake leg that sets off metal detectors. This meant, every day I went there they had to pull me aside, scan me with a hand held device then check my leg. They did this the first three days, then on the 4th (and all the rest of the days) they just waved me through, without bothering to check. This meant, had I wished to, I could have easily gotten a gun or other weapon into the courthouse.
    When I called they were very interested to hear this. They thanked me and quickly fixed it.

    • @liesdamnlies3372
      @liesdamnlies3372 8 років тому +131

      +Eric Taylor Government showing more responsibility for security than a large corporation. I don't know if I should be surprised or something else.

    • @erictaylor5462
      @erictaylor5462 8 років тому +252

      *****
      This wasn't "government" This was a single individual who's ass would have been on the line had someone managed to get a weapon in.
      Also this was several years ago. Who knows if the same thing wouldn't happen again.

    • @liesdamnlies3372
      @liesdamnlies3372 8 років тому +71

      Eric Taylor
      Well, okay, someone working for government. Which yes, I'm definitely surprised, given that the level of incompetence demonstrated by government in IT can be staggering. (I've received passwords, which can't even be changed, from government websites, via email in plaintext. Cringe.)

    • @erictaylor5462
      @erictaylor5462 8 років тому +8

      *****
      I sent my sister a password in code at least.

    • @toproudtooadmitmitsake1842
      @toproudtooadmitmitsake1842 4 роки тому +19

      @@erictaylor5462 You're thinking too zoned in, it is the government, you can never rely on security to police itself, complacency especially in repetition is human nature, the onus is on the government to monitor quality and ensure safeguards are in place to keep a constant standard of security.

  • @Fraktallity
    @Fraktallity 8 років тому +3976

    Tom scott- Defenitley not sponsored by moonpig.

    • @Fraktallity
      @Fraktallity 8 років тому +20

      *****
      No such thing as bad publicity, however I doubt tom would have sold out that hard if at all.

    • @kobiemelverton2231
      @kobiemelverton2231 8 років тому +30

      By law, he has to state it

    • @kikicat123
      @kikicat123 8 років тому +29

      you need to send that grammar to moonpig

    • @benjaminpatterson3535
      @benjaminpatterson3535 8 років тому +1

      +kobie melverton we all know that now don't we

    • @jpeg8596
      @jpeg8596 6 років тому +4

      Fraktallity - Cheeky Videos ( ͡° ͜ʖ ͡°) He wouldn’t because it is illegal to not disclose that you’re sponsored.

  • @GamesFromSpace
    @GamesFromSpace 9 років тому +150

    Another pro tip: If you're working with offshore developers, always make sure they implemented features the way you requested. I've narrowly avoided silly problems like "sequential customer IDs" or "token strings containing user info" that way. You get what you pay for.

    • @robertlozyniak3661
      @robertlozyniak3661 8 років тому +9

      +Joshua Pearce I wonder which is harder, making sure they do it the way you want or just doing it yourself.

    • @GamesFromSpace
      @GamesFromSpace 8 років тому +4

      Robert Lozyniak It depends if doing it yourself means reading their code.

    • @jacobtracey555
      @jacobtracey555 2 роки тому

      TL;DR: Don't hire Indian programmers.

    • @eTiMaGo
      @eTiMaGo Рік тому +5

      @@jacobtracey555 Nothing wrong with them, but I once had an Indian friend tell me that the best programmers there end up getting hired by large companies, leaving mostly newbies and low-skilled programmers left on upwork, freelancer, etc.

    • @mystic_galaxies9832
      @mystic_galaxies9832 Рік тому

      @@jacobtracey555 and why Indians specifically?

  • @OmegaCraftable
    @OmegaCraftable 9 років тому +598

    "Code like you're being attacked", love that. :)
    Great video as always!

    • @57thorns
      @57thorns 5 років тому +8

      Because you are under attack, this is the internet we are speaking of.

    • @kusaisama
      @kusaisama 3 роки тому

      💗

  • @mena376
    @mena376 8 років тому +1174

    half moon, half pig, and half bug.... no wait

    • @theLuigiFan0007Productions
      @theLuigiFan0007Productions 8 років тому +172

      The 3 halves you just mentioned caused a buffer overflow in the terribly written site.
      Congratulations, you now have root access to everything. :DDDDDDDDDDDDDDDD

    • @froidesprit
      @froidesprit 8 років тому +53

      theLuigiFan0007
      Not upvoting your comment because you will then have two different buffer overflows.

    • @pinkribbon1007
      @pinkribbon1007 6 років тому

      mena3976 😂👏

    • @panda4247
      @panda4247 6 років тому +7

      It's half moon and half pigbug. Better call Al Gore

    • @Banzybanz
      @Banzybanz 5 років тому +2

      Lulz. This week the same topic was revisited in South Park.

  • @beenis08
    @beenis08 4 роки тому +226

    Companies: writing bad code
    Tom: "yall are getting paid?"

    • @chewtag
      @chewtag 4 роки тому

      not funny

    • @beenis08
      @beenis08 4 роки тому +12

      @@chewtag damn... and i assume you didnt laugh? 😞

    • @codinghub3759
      @codinghub3759 3 роки тому +4

      @@beenis08 was funny, did laugh

  • @Arbenowskee
    @Arbenowskee 3 роки тому +45

    As Tom mentions in 3:34 - a word of caution, always report these kinds of bugs through a lawyer. Big companies will happily sue you or report you to police for "hacking" instead of saying thank you, even if your intentions were 100% honest and you showed them that. Has happened to more than one person I know.

  • @elminz
    @elminz 9 років тому +188

    I think one of the biggest things I learnt about security from hackers when working on online games is: "Assume all data you get could be a hack". Even if it's as simple as someone's date of birth, assume it could be forged data designed to break your system. No exceptions.

  • @mathgeniuszach
    @mathgeniuszach 5 років тому +41

    I agree with you; something my uncle always says: whatever you program, try to get it to fail. Don't program it to fail, but test it and try to get it to fail so you can fix it. That's one of the reasons I like ethical hackers so much and the companies that use them; you know they won't easily fail to simple security flaws. Kudos to anyone who finds these issues and reports them urgently, safely, and carefully.

  • @rogerwilco2
    @rogerwilco2 9 років тому +36

    The problem is that a lot of these things are done when a company has no clue about code themselves and hires someone with a fast talk, or has the 16 year old son of one of the managers do it in a weekend.
    And then it stays in the code when the site grows and starts attracting lots of costumers.
    Nobody will be asked to look at it, because "it has worked reliably in the past".

  • @kujmous
    @kujmous 9 років тому +466

    One could only guess what rights account number 1 was allowed to do.

    • @AshtonSnapp
      @AshtonSnapp 6 років тому +31

      kujmous Acc No 1 is probably the admin.

    • @Hahahawhatsup
      @Hahahawhatsup 6 років тому +135

      cheers sherlock

    • @lyrimetacurl0
      @lyrimetacurl0 5 років тому +26

      What about number 0? The boss?

    • @mitch_tmv
      @mitch_tmv 5 років тому +23

      no number 0 is the time traveller

    • @Chris_Cross
      @Chris_Cross 5 років тому +18

      Try -42

  • @tymo7777
    @tymo7777 9 років тому +24

    You are a fantastic model for a responsible public figure on the internet.

  • @Foul_Quince
    @Foul_Quince 4 роки тому +12

    I am constantly amazed how many developers incorporate security through obscurity as a strategy.

  • @HenryW9
    @HenryW9 9 років тому +870

    "Ah, nobody will notice this" - a very british attitude

    • @hikari_no_yume
      @hikari_no_yume 9 років тому +21

      Also rather reckless. :(

    • @geraldhenrickson7472
      @geraldhenrickson7472 6 років тому +22

      Henry W: British? Denial seems a rather large factor of the human condition. I believe anyone, anywhere could say this.

    • @geraldhenrickson7472
      @geraldhenrickson7472 6 років тому +5

      Mr Shekel: Why fuel the fire of discontent? Stop blaming all of a given nationality... for the acts of but a tiny few.

    • @pepperjeanne1566
      @pepperjeanne1566 6 років тому +20

      More like " a very *human* attitude"

    • @John2find
      @John2find 5 років тому +1

      I thought it was Indian attitude.

  • @jacob416
    @jacob416 4 роки тому +39

    Context:I live in America. My professor always said “this isn’t the justice system, everyone is guilty until
    Proven innocent not the other way round.”

    • @electricspider2267
      @electricspider2267 Рік тому +1

      You're innocent, but btw could you like stay in this tiny room for months until we can prove youre actually guilty. Notice i didnt include a '?' Because i'm not asking, im forcing.

    • @jacob416
      @jacob416 Рік тому +1

      @@electricspider2267 you forgot "unless you, or someone you know, is able/willing to pay several months worth of your salary all at once, because that's a completely reasonable request of someone who more than likely lives paycheck to paycheck. aren't you glad we have such a flawless and perfectly morale system"

  • @shuttsteven
    @shuttsteven 9 років тому +25

    As someone who has no horse in this particular race, I have never heard of Moonpig before as a US customer, really enjoy these computer security videos. I hope to see more of them in the future!

  • @rud
    @rud 8 років тому +478

    "someones ugly baby". Telling it like it is. :D

  • @europeansovietunion7372
    @europeansovietunion7372 5 років тому +495

    I'm pentesting right now.
    This one has no ink anymore, next.

    • @mastertrams
      @mastertrams 4 роки тому +4

      Ok, that was a good'un, but I think you're deliberately missing the point. Wrong type of pentesting mate.

    • @scepto43
      @scepto43 4 роки тому +13

      @@mastertrams cant tell if thats a r/woooosh or not

    • @JustPoaj
      @JustPoaj 4 роки тому +4

      @@scepto43 r/wooosh

    • @addisonchan3053
      @addisonchan3053 4 роки тому

      @Michael Darrow r/noheacknowledgeditasajokebutwantedtomakesurehewasntjoking

    • @legendarytat8278
      @legendarytat8278 3 роки тому

      @@addisonchan3053 r/ihavereddit

  • @DamienWells
    @DamienWells 9 років тому +129

    Not too long ago, someone I know gave me some advice similar to what you said at the end of the video. His words were along the lines of "When coding security as an adult, don't think logically, try to think like a kid. If you build it logically and too structured it's easy to crack. And even if it's logical and structured but still you think it's near unbreakable, most of your attackers will be kids, young people, the ones who think outside the box. It's easy for those people to find holes you never thought possible."
    What are your thoughts on this?

    • @vincentmuyo
      @vincentmuyo 5 років тому +7

      ... Why wouldn't you code logically? It's not going to get safer just because no one can read the code.

    • @Ashebrethafe
      @Ashebrethafe 5 років тому +40

      @@vincentmuyo The code should be a logical implementation of the design, but that design should be as unstructured as possible. Moonpig should have used random customer IDs, instead of taking the "logical" approach of making them consecutive, so that nobody could use their IDs to determine someone else's. They also should have generated a _different_ random ID for each token, so that a user whose token ID was compromised could get a new one by deleting the old token and signing in with their username and password.

    • @Toothily
      @Toothily 4 роки тому +28

      I think that's a poorly articulated way to say, don't get cocky or rest on your laurels, but instead be curious and devious in testing your own code.

    • @beesree39
      @beesree39 4 роки тому +20

      @@Toothily how does one rest on a yanny

    • @clockworkkirlia7475
      @clockworkkirlia7475 4 роки тому +3

      @@beesree39 ...Well played.

  • @paulverse4587
    @paulverse4587 3 роки тому +18

    My school used a webportal a while back, so that we can upload our homework, see what is to be done, schedules and notices.
    However, the ID was stored in the URL itself - and you can see the ID of others by visiting their profile. Simply replacing it I was perfectly allowed to be my teacher or school mates, giving me full insights in all conversations between them and others. I was young so I played around a bit and was also able to see the invoices and ability to delete the entire school's account, change homework, schedules, and change admin roles. Luckily I was not stupid enough/too boring to change anything major or dwell too deep, so nobody noticed. I tried to bring this to my teachers attention but they didn't understand or care and when they seemed to think I was trying to "hack it" I stopped trying. This was in ~2008.

    • @paulverse4587
      @paulverse4587 3 роки тому +3

      Also as I found out, the school paid a ludicrous amount monthly to this platform.

    • @warmachineuk
      @warmachineuk 3 роки тому +7

      Third party frameworks and libraries allowing virtually unhackable cookies were available in 2008. The developer had no excuse. Your school was ripped off.

    • @paulverse4587
      @paulverse4587 3 роки тому +3

      @@warmachineuk Yup

    • @llynxfyremusic
      @llynxfyremusic Рік тому

      god the way your teacher brushed you off pisses me off.

  • @aydoyt
    @aydoyt 3 роки тому +2

    You wouldn't guess what advert UA-cam decided to slap at the top of my recommendations
    Moonpig

  • @erictaylor5462
    @erictaylor5462 8 років тому +279

    Another thing to remember:There is NO SUCH THING as a 100% secure system. The Germans thought this about Enigma. They paid the price. Well the other Germans paid for them but you know what I mean.

    • @adaai2384
      @adaai2384 8 років тому +53

      +Eric Taylor That is true but it's also irrelevant. There is no excuse for large companies not following the current best practices for information security (in the UK it's a legal requirement). What Moonpig did is analogous to a bank leaving all of your money on the sidewalk with a sticky-note saying "please don't steal this." And then they tried to insist they weren't doing anything wrong.

    • @erictaylor5462
      @erictaylor5462 8 років тому +21

      GenericRubbishName
      I never said they shouldn't attempt to secure information. It's just that locks are for keeping honest people honest. You should always be trying to improve security.
      Donitz only SUSPECTED Enigma had been broken so added another wheel too it even though all the experts told him it was impossible to break Enigma. Even though this step improved the Navy's performance (at least for a while) the Germans STILL didn't realize the English had broken the Enigma code.
      The English were reading the dispatches before the German commanders were.

    • @JustusLynetta
      @JustusLynetta 7 років тому +2

      Honestly, theoretically enigma seemed unbreakable but it had a major flaw. You should check out the new version of enigma which is several magnitudes better and most likely won't be able to be cracked in humanity's time.

    • @erictaylor5462
      @erictaylor5462 7 років тому +10

      PacManAction That doesn't even make sense. "Theoretically seemed"? It was, to the people who designed it "theoretically unbreakable" and thus seemed unbreakable, but the theory was wrong.
      And you're right, the Enigma concept is still used today but with the flaw, a letter can never be "substituted" with itself, but the entire process is done in computers instead of clockwork machines.
      The great advantage of this is the number of "wheels" you can have is unlimited. And with each added wheel the number of possible outcomes is increased by a multiple of 26.
      Enigma was an amazing cipher machine, but like the builders of Titanic, they were over confident in their design.

    • @JustusLynetta
      @JustusLynetta 7 років тому +4

      Yes, theory can be proven wrong. It's been done many times, something that works in theory doesn't always work practically.
      And I'd advise look up the TypeX machine.

  • @geordonworley5618
    @geordonworley5618 9 років тому +4

    This is a very important point, and every programmer really needs to understand this concept. I hope the message gets across and they actually fix the system.

  • @DampeS8N
    @DampeS8N 9 років тому +49

    Great breakdown as always. Clear, detailed, correct and complete.

  • @loulimibarney3435
    @loulimibarney3435 8 років тому +48

    People should stop thinking computing is a niche area and that they are doomed not to understand anything about it and realize computing is as law, it applies to everything and everyone should know about.

  • @hikari_no_yume
    @hikari_no_yume 9 років тому +26

    Tom mentions this being risky because a company might sue you. It gets worse, actually: the AT&T "hack" done/discovered by weev got him in jail - and it was a very similar type of issue to the one described in this video. I won't apologise for weev because he's a nasty piece of work and has done many horrible things, but the thing that got him sent to jail was AT&T being mad over exactly this issue.

    • @philpem
      @philpem 9 років тому +29

      The key difference, as I understand it, was that Weev proceeded to crawl AT&T's customer database, download a massive chunk of it and then hand it to journalists, thus compromising thousands of customers' private information for the sake of irresponsible disclosure.
      Paul Price created a few new accounts with his own details (or perhaps fake details) to which he held the authentication details, then proceeded to use the customer IDs for those. At no point (at least based on what I'm aware that he's said publicly!) did he obtain any information to which he was not legally entitled access.
      Moonpig could take the nuclear option and try for criminal charges under, say, the Computer Misuse Act (disclaimer: I am not a lawyer, solicitor, barrister, or anything like that), but there's probably enough "responsible behaviour" to easily shoot something like that down (I'm not a lawyer. Have I said that yet?).
      That said, if MP did go down that route, the press would have an absolute field day. "Moonpig sues guy who reported security bug! A greetings card company has sued a computer security researcher who told them about a security bug, then gave them A YEAR to fix it! More on page five!"

    • @hikari_no_yume
      @hikari_no_yume 9 років тому +8

      philpem
      Yes, I suppose it's fair to say weev didn't get in trouble for merely exposing the vulnerability, I should have mentioned that.

    • @goodkisser8591
      @goodkisser8591 4 роки тому +2

      Yes, hacking other companies/websites, regardless of if you’re ‘just testing’ is illegal, because nobody knows what you did as well as informing them, you could’ve already sold all of the data.

    • @hexagonist23
      @hexagonist23 4 роки тому +1

      Not if you use tor.

  • @Mousy677
    @Mousy677 7 років тому +13

    I love how sarcastic tom is in these videos, given that he's usually so nice in videos

  • @WalnutBun
    @WalnutBun Рік тому +2

    Genuinely think that this is the sort of thing that goes beyond "incompetence" and into "criminal negligence".

  • @BanterEdits
    @BanterEdits 9 років тому +441

    Tom, I have to say, you are my favourite UA-camr, just ahead öfter Vsauce. Your content is funny, inspiring, smart and also very informative. I would love to see you on german TV one day and think: This man should be cloned because he is a perfect tutor for humans of all ages.
    Thank you for producing all of the content.
    Regards,
    Felix

    • @BanterEdits
      @BanterEdits 9 років тому +5

      *ahead of

    • @bentheguy101
      @bentheguy101 9 років тому +9

      Interesting how your profile photo is a VGA cable

    • @JamEngulfer
      @JamEngulfer 9 років тому +5

      Hey, just so you know, comments can be edited after you post them.

    • @BanterEdits
      @BanterEdits 9 років тому +12

      JamEngulfer
      not on mobile^^

    • @JamEngulfer
      @JamEngulfer 9 років тому +4

      Checkername1 | Closed Oh right, fair enough

  • @PeterT1981
    @PeterT1981 4 роки тому +3

    Inspiring passion in your monologues!
    As a non-nerd, I can’t believe the degree to which I was able to follow that. Well done

  • @CalebJohnsonlivingca
    @CalebJohnsonlivingca 9 років тому +51

    good lesson in the illusion of "security through obscurity"

    • @thebouncyball2305
      @thebouncyball2305 9 років тому +3

      Yeah, it's a huge gamble to think like that. It only takes one malicious person to discover something like this, and it's only a matter of time.

  • @chrispi314
    @chrispi314 8 років тому +7

    As a developer I always think about safety first. My boss can sometimes argue with that time is money, I simply answer that I know my job and time doesn't respect what we do without him.
    The problem you described suggest me that they hire some low cost trainee to do the job. Because, even in your studies, you learn basic stuff like that. It's practically like counting on your finger...

  • @gunslingerspartan
    @gunslingerspartan 9 років тому +1

    you know... years ago I found this channel and it had throwing drums and a symbol off a cliff outside shipley, trying to get on the budget news coverage, and being elected as a pirate captain
    I really really like that I can stumble back to it for well made educational content years later

  • @samjiman
    @samjiman 8 років тому +357

    This video was sponsored by Funky Pidgeon. :P

    • @fn9six
      @fn9six 7 років тому +26

      Funky, fun and free delivery. Woohoo

    • @kristiansvendsen6906
      @kristiansvendsen6906 7 років тому +19

      We'll even throw some other customers credit card details in! WOOOHOOOO

    • @invisi.
      @invisi. 5 років тому +4

      pigeon*

    • @adflyofficial
      @adflyofficial 4 роки тому +8

      f u n k y p i g e o n . c o m

    • @thinwhiteduke4324
      @thinwhiteduke4324 4 роки тому +3

      @@adflyofficial i read this like in the advert 🤦‍♀️😂

  • @paulaclarke3421
    @paulaclarke3421 8 років тому +15

    Tom Scott speaking sense as usual. Thanks Tom.

  • @Thiefree
    @Thiefree 9 років тому +1

    My brother knows me so well. He showed me three of your videos and let me get on with it. One week later, I must've seen forty or more. I like what you do, Tom!

  • @itsagentd283
    @itsagentd283 5 років тому +8

    I remember back in the day when I was making a control panel for a game server and ran it on my test server. It was hacked within minutes by a friend just because I didn't check the input of 1 script causing my friend to get access to admin on the server and causing mayhem. I just didn't escape anything for one field and that was my downfall. Luckily I asked a friend to test the security and it was on a test server. You should never release something on a live machine until it has been tested.

  • @Roxor128
    @Roxor128 9 років тому +5

    "Innocent until proven guilty" is for lawyers, not software developers.

  • @thephantom1492
    @thephantom1492 8 років тому +122

    Shouln't that compagny get an huge fine AND get banned from visa/mastercard due to the insecurity? I tought in the UK that such thing would result in huge fine due to the blattant insecurity... and credit cards don't like that too...

    • @goodkisser8591
      @goodkisser8591 4 роки тому +11

      thephantom1492 the “huge fine” isn’t as big as you’d expect for a massive company, especially not back then

    • @jintie
      @jintie 4 роки тому +2

      tought? you mean taught?

    • @kyleedwards4903
      @kyleedwards4903 3 роки тому +16

      @@jintie Glad you're here to save us all the mental strain of trying to figure out what that could have possibly meant. God forbid a person accidentally omits a letter in a word. We need more people like you in the world, our stockpiles of unearned self-satisfaction are dangerously low

    • @TheSudsy
      @TheSudsy 3 роки тому +1

      @@jintie thought

    • @j.hawkins8779
      @j.hawkins8779 3 роки тому +1

      @@kyleedwards4903 you. shut up. no one cares about what you have to say. if you wanna be like that, delete your comment and go to some other website that cares about you.

  • @CoolAsFreya
    @CoolAsFreya 5 років тому +3

    As a networking student "never trust user input" and "treat everything as malicious until proven otherwise" are the two biggest rules in setting any network or service up

  • @DemolitionTurtle
    @DemolitionTurtle 9 років тому +11

    Great video, Tom! I'm never gonna give up watching if you're never gonna let me down with these ;)
    I really like these computer security videos, although it is scary how insecure some reputable services are.

    • @Kitulous
      @Kitulous 3 роки тому

      did you just rickroll me?

    • @LunizIsGlacey
      @LunizIsGlacey 3 роки тому

      @@Kitulous yes, they did.

  • @Phantoml25
    @Phantoml25 8 років тому +84

    "how could I break this" That's how I always think

    • @joshuahadams
      @joshuahadams 8 років тому +23

      Sledge hammer, that's how you can break this.

    • @Xeverous
      @Xeverous 8 років тому +12

      +Josh Adams with enough force, everything can be "solved"

    • @renatokobashigawa7025
      @renatokobashigawa7025 6 років тому +3

      that's how my country thinks about economy

    • @lappansommer546
      @lappansommer546 3 роки тому +1

      Even about my heart!? (sniff)

  • @Alex2Buzz
    @Alex2Buzz 9 років тому +24

    "When dealing with sensitive information, assume the client is compromised."

    • @gametime449
      @gametime449 8 років тому

      He indeed did say that.

    • @Alex2Buzz
      @Alex2Buzz 8 років тому +1

      gametime449
      Yes, it's my own tweak on it. I actually came up with it before I watched this video.

  • @FerroNeoBoron
    @FerroNeoBoron 9 років тому +1

    Code it like someone is going to break it is not only a good mantra for security purposes, it's usually a good mantra for writing application code in general.

  • @Booone008
    @Booone008 9 років тому +12

    Excellent video! It baffles me every time I hear of one of those incidents that there are still PAID developers who make these mistakes. Allow authentication with nothing but an auto-incrementing user id?! I cannot even count the amount of bells that should ring.
    Heck, even 9-year-old me wrote better authentication systems than that (and that used a shitty md5 function applied to the non-salted password, and the token was a PHP session id transmitted over the URL query string ... good old times ...).
    I didn't consider it possible to find something worse than that in f***ing 2014!
    Thanks for spreading awareness, Tom, and kudos to the guy who reported the hole.

  • @imarcus1973
    @imarcus1973 5 років тому +5

    I once had the pleasure of doing some updates on an accountants website. I discovered that as well as all their clients passwords being stored in plain text, their uploaded accounts documents were stored in a publicly accessible folder with consecutive ids as file names. To be fair the company I worked for had me update the code at no cost the customer.
    I was amazed at how many passwords were in the format: [username]123 ...!

  • @ANXIETOR
    @ANXIETOR 9 років тому +11

    I see that three employees of moonpig gave you thumbs down.

  • @Erraticfox
    @Erraticfox 9 років тому

    Outstanding Tom, you always explain these videos with just the right amount of information. Not to much and not too less. Keep up the great work, Tom! Cheers.

  • @Kerbal_fever
    @Kerbal_fever 3 роки тому +2

    I always remember my IT teacher looking over our code as 'A test of destruction'.

  • @JustOneAsbesto
    @JustOneAsbesto 9 років тому +25

    "Moonpig bug" sounds like something from a Beat Poem, or William S. Burroughs novel.

    • @Sathrand
      @Sathrand 9 років тому

      Thank you for the hearty laugh.

  • @CoffeeOnRails
    @CoffeeOnRails 7 років тому +49

    found this kinda incompetence with the reg system at school. they attempted to throw me out

    • @VicvicW
      @VicvicW 7 років тому +35

      Zach Ashton A third party system our school used was terrible. Albiet it was just a past paper system, but it's even the idea of it.
      I said I'd forgot my password, expecting the standard, enter new password malarky. Nope, it sends me a plaintext version of the password.

    • @geraldhenrickson7472
      @geraldhenrickson7472 6 років тому +2

      You are the exception...ie different. Different scares people. Do not stop.

    • @ahreuwu
      @ahreuwu 6 років тому +4

      my school got literally a plain windows 7 install from 2010 with no access to updates (somehow) and the admin password was "" (nothing, just press enter). wut

    • @undead890
      @undead890 5 років тому

      Jack B Ouch, that site hurt my web developer soul.

  • @djofftheshit
    @djofftheshit 2 роки тому +1

    7 years later, the description was never updated

  • @FabrizioBianchi
    @FabrizioBianchi 9 років тому +1

    Love when Tom explains protocols and love the new graphics too!

  • @allanrichardson1468
    @allanrichardson1468 6 років тому +3

    When I was programming mainframes, the biggest worry was user input that might ACCIDENTALLY crash a program, and most of the input editing was aimed those kinds of errors, like someone exchanging a transaction’s effective date and their birth date on a form, then we tried to compute their age.
    Once the PC and the internet appeared, we also had to worry about outsiders trying to crash or misuse systems on purpose.

  • @TacComControl
    @TacComControl 2 роки тому +5

    Remember to check through more than 14 different listings when checking for Pen-testers. The Pen-15 rule is EXTREMELY important to remember.

  • @CinemaDemocratica
    @CinemaDemocratica Рік тому +1

    Greatest opening line of a Tom Scott video in history.

  • @AntiComposite
    @AntiComposite 8 років тому +1

    Their press response is basally saying "Please don't punish us for PCI violations," as many do. And no, the last four of a credit card number is not payment information. Troy Hunt wrote a good piece on this.

  • @Igneous01
    @Igneous01 8 років тому +4

    You would be surprised at how terribly vulnerable poorly designed some software is in the business world, I go mad thinking about what's going to happen when our company launches its SaaS platform...

  • @j2simpso
    @j2simpso 4 роки тому +7

    Ahh good ol pentest. As a leftie I’m very fond of this as most pens on the market smudge unless you adapt a cranes grip on the pen. Having to go through the hundreds of pens to find that one pen that both doesn’t smudge but also maintains a smooth flow of ink is crucial. 🤣

    • @Khunark
      @Khunark Рік тому

      goddamned liberal

  • @thenerdyouknowabout
    @thenerdyouknowabout 9 років тому

    I have never heard a better summary of moonpig! brilliant tom!

  • @Vedrajrm
    @Vedrajrm 6 років тому +1

    This channel is amazing,
    I've been like binge watching his videos like everyday

  • @AJG6150
    @AJG6150 8 років тому +182

    For some reason, whenever I watch Tom's videos, I become thirsty.

  • @dapperrogue
    @dapperrogue 9 років тому +4

    Delta Airlines had a similar bug in December that allowed you use another passenger's boarding pass. Whoops.

  • @ThatDevMatOfficial
    @ThatDevMatOfficial 3 роки тому +1

    From personal experience... Developers are actively told not to worry about cyber security by managers. This is bad because development teams have larger teams and more money than cyber security. Cyber security isn’t profitable in the eyes of the managers. That’s the big problem. I, as a developer, can’t add extra security.

  • @warmachineuk
    @warmachineuk 6 років тому +2

    As a programmer, I know there's simply no excuse for this. Web application frameworks can generate large, unguessable strings of text as session ids. Even if someone manages to copy your session id, it's useless as soon as you logout or you've been idle too long. The client never sees a customer id.

  • @Falney
    @Falney 8 років тому +4

    There is nothing wrong with using consecutive numbers for an ID in certain circumstances. For instance if the ID is kept fully internal and no one ever finds out how your ID system works and it isn't used with vulnerable data.
    A far more suitable approach (And the one I use) is to use UUID's. This is a random 36 character hexadecimal value which has less than 1% chance of returning a duplicated UUID for every quintillion UUID's. There are a over 5 unodecillion combinations possible. Which is basically a lot.

    • @Qbe_Root
      @Qbe_Root 7 років тому +7

      Of course, just don’t use consecutive IDs as permanent tokens to access private accounts…

    • @floppaquest4916
      @floppaquest4916 6 років тому

      5 unodecillion? Amateur. Try 2 combinations.

  • @AllThoughts3rased
    @AllThoughts3rased 6 років тому +21

    "moonpig, well they make crap"
    Oh this is gonna be good

  • @warmachineuk
    @warmachineuk 3 роки тому +2

    As others have written, treat all user input as evil. Desktop web browsers have a developer mode, allowing even amateur users to edit the page they download, including hidden form values, cookies, hyperlink parameters, and form validation done in Javascript. Identify the customer from a hidden customer id in the page and a teenager will hack your application.

  • @d3line
    @d3line 9 років тому +1

    Thank you! I really enjoy your tech-y videos.

  • @levolta
    @levolta 9 років тому +30

    Interesting video!
    I would like to know what exactly identity theft is. I get the main idea, but I, and I think many others, do not know exactly what bad things can be done(or have been done in the past to regular people). Most people I know do not really care about it.

    • @TomScottGo
      @TomScottGo  9 років тому +37

      levolta It's a shorthand for "someone impersonating you" -- best case, they order a couple of things using your credit card, your bank notices and cancels everything, no major harm done. Worst case -- and you see cases of this with relatives and friends, not unknown online attackers -- they take out some loans in your name, run off with the money and ruin your credit score.

    • @NNOTM
      @NNOTM 9 років тому +12

      *****
      I think the worst case is probably a whole lot worse than that. Granted, this is unlikely to happen to a lot of people, but I think someone who can impersonate can, in addition to ruining your credit score, also ruin the relationship with anyone you know, get you to lose your job, get you into a court for some crime you didn't commit, etc.

    • @Booone008
      @Booone008 9 років тому +10

      NNOTM
      As you pointed out, doing that is luckily not the goal of the average bad guy targetting insecure services. If the attacker does not hold a personal grudge against you but is instead targetting random people that he happens to be able to hijack, he is usually "only" after money and/or prestige.
      That being said, it can still ruin you pretty easily when your online identity is taken over, especially nowadays where so much of our life takes place online ...

    • @jca111
      @jca111 9 років тому +6

      Identity theft can maifest in many ways, but I was the victim about 8 years ago, and someone took £2K of loans out in my name. It too me 4 years to clear my name, and an awful lot of agro. They were however caught. All they needed was my name, address and DOB. Where they got it from (it was no one I knew) I do not know, but it could realistically be many places.

  • @dom_h
    @dom_h 9 років тому +14

    Does this mean you can get the tester account details by trying the first few accounts? :D

    • @thebouncyball2305
      @thebouncyball2305 9 років тому +8

      most likely, assuming those accounts are still live.

  • @reflectedpower609
    @reflectedpower609 3 роки тому +2

    Fun fact, $10,000 in Bitcoin when this video released is worth $1.4 million today.

  • @douglasg14b
    @douglasg14b 4 роки тому +1

    Don't forget that project management often drives these kind of flaws, not necessarily the devs themselves.
    I've been on projects where I bring up that accounts can be enumerated, that Ids are visible sequentially...etc But it ALWAYS gets deferred to the "It hasn't been a problem yet, so we are not going to work on it" pile of security negligence.

  • @fig8man
    @fig8man 8 років тому +19

    How do you mine bitcoins with a credit card? where do I even plug it in?

    • @pisse3000
      @pisse3000 8 років тому +2

      The disk drive. And don't worry if your computer doesn't have one, there are external ones you can buy.

    • @pisse3000
      @pisse3000 8 років тому +1

      ***** (it's a joke)

    • @pisse3000
      @pisse3000 8 років тому +2

      ***** But 2 am is the best time to read UA-cam comments!

    • @Luca-jy8ne
      @Luca-jy8ne 7 років тому +3

      I'd say buy a lot of hashing power from someone else and direct it to your wallet. Not sure if there's an easier way.

  • @miko5742
    @miko5742 3 роки тому +6

    watching this after spiff's new vid

  • @Cerise4697
    @Cerise4697 Рік тому

    Coming back to watch this 7 years later, aaaand.... No update about Moonpig ever getting back to him. Tom could have forgotten to update the description, or it could be the more likely explanation.

  • @Turbogames_tuwr_old
    @Turbogames_tuwr_old Рік тому +2

    The fact that moonpig hasnt responded even after 8 years is concerning

  • @samsargent284
    @samsargent284 4 роки тому +4

    "...and run up 10,000 quid mining bitcoin on someone else's credit card." I love you Tom

  • @Icalasari
    @Icalasari 5 років тому +4

    I love how THREE YEARS LATER, the description doesn't have a response edited in
    Guess Moonpig never learned...

    • @goodkisser8591
      @goodkisser8591 4 роки тому

      Icalasari they simply chose not to leave a public response, I don’t think that means they never learned.

  • @NNOTM
    @NNOTM 9 років тому +1

    I think an even slightly better question than "How could I break this?" might be "How do I break this?"

  • @blackAngel88it
    @blackAngel88it 4 роки тому +1

    The token being the only thing needed to authenticate the user is definitely much, much worse than having a sequential ID. The combination of it is quite catastrophic, of course.

  • @a_penguin1183
    @a_penguin1183 4 роки тому +3

    Was it just me that got an advert from Moonpig straight after the video? 😂

    • @fourk_
      @fourk_ 3 роки тому +1

      I started getting moonpig ads. I thought I was the only one

  • @hugo57k91
    @hugo57k91 3 роки тому +3

    00:04 I heard that as "and they make personalized crack" and I was very confused

  • @Bob_Burton
    @Bob_Burton 9 років тому +1

    This reminds me of the way that the Web based expenses system of a company that I worked for was coded.
    When submitting an expenses claim online it was given an ID (a sequential number) and at the end of the submission process the user was given an option to print the expenses claim form for their records. If you chose to do that the URL for the print request contained the ID as part of a querystring so by substituting another number you could (allegedly) print off any expenses claim ever submitted.
    When this was pointed out to the people who wrote and maintained the system it was ignored. Bearing in mind that the company was a large software house employing hundreds of programmers I have no doubt that people other than me noticed the flaw and for all I know exploited it to snoop.

  • @billyjesus5442
    @billyjesus5442 2 роки тому

    switching between two static cameras, love it!

  • @VitaNova83
    @VitaNova83 8 років тому +3

    I love all the 'developer bashing' replies to this, in the real world, outside of academia and hobbyist programming you have to realise that quite possibly this was not the fault of the developer. He/she may have been screaming bloody murder about wanting to do it the right way, about how they need more time to get it right. But if it's not in the project plan, if the stakeholders don't want to pay for it or won't listen to advice then bad code goes into production. It's not fair to blame the developer when the shit hits the fan a year down the line.

    • @PeterAuto1
      @PeterAuto1 8 років тому +1

      You need not much more time to introduce random numbers for the user IDs. It also woundn't perfectly save, but now the hacker has do guess each ID.
      I thing the stakholders don't say to the developer, you have to make continus IDs.

  • @the1exnay
    @the1exnay 7 років тому +5

    Always assume the attacked knows every detail about how your servers work, every bit of code. And assume they can control every single bit in the packet they send to your server (cause they can). And then ask "can they break this" and then ask someone else "can you break this?". And then after that, something might have been missed but at least you wont look like a dumbass

  • @SulphurS16
    @SulphurS16 4 роки тому

    The beginning is the best explanation of moonpig

  • @ginfox91
    @ginfox91 9 років тому +1

    Thanks Tom, another interesting video. I'm glad I've never registered with moon pig. I'll bear this in mind the next time I code.

  • @angelthemage2972
    @angelthemage2972 4 роки тому +6

    it’s been 5 years and they haven’t replied. F

  • @Showsni
    @Showsni 8 років тому +4

    So what is the best way to report something like this? I ran across a security vulnerability on a certain broadband provider's website entirely by accident - one that ultimately let you log in to anyone's account simply by knowing the username, without having to use the password at all. (Then once you're logged on you can of course see address, email, name, phone number, past invoices, etc...) Several emails to the company over the course of a few weeks and no fix; eventually, after a few months pass, I manage to get through on the 'phone, walk the tech support person through the steps, and now it looks like they've finally fixed the problem. (I am curious how exactly the problem came to exist, but I'm not exactly tech savvy. Maybe someone could explain it to me if I tell them the repro steps!). Did I do the right thing in keeping quiet and just privately contacting the company?

    • @NoriMori1992
      @NoriMori1992 8 років тому +2

      Yes. That's what the guy who found the Moonpig vulnerability did. If they fixed it after you helped them, then there's nothing more for you to do. If they haven't fixed it yet, it's time to go public with it.

  • @TimSavage-drummer
    @TimSavage-drummer 7 років тому +2

    Basically, web application development 101 "never trust any input until it's been validated". Sadly it's been on the OWASP Top 10 for years.
    I'd really like to see governments step up and impose serious penalties on companies that don't get the basics right, ignorance is no argument here, if you don't know what you are doing you should not be dealing with PII data.

  • @youtubecom3474
    @youtubecom3474 9 років тому

    Well said, Developers so often consider security an after thought which makes things harder for everyone.