I'm really hoping that the term "moonpigging" becomes a term for companies that give a vague "Your security is important to us" message. Next time I get one (on twitter) I'm RT'ing it with a message "I'VE BEEN MOONPIGGED"
Tom Lake Charles Moonpigging /muːn/pɪɡ/ɪŋ/ verb *VULGAR SLANG • ENGLISH* 1. When a company makes a very specific denial of a security bug “I was moonpigged” _synonyms:_ disgrace, dishonour, disrespect
The notion that people still don't "code like they're being attacked" astounds me. One of the first formal courses I took in programming, the lecturer made it very clear we understood the notion and importance of defensive programming.
Some of us are Old School Programmers. Way back in the day the only kind of real hacking that needed to be worried about was some student coding something that would walk a printer across the room until it pulled the plug from the wall shutting it down until you could get engineers into the facility and haul it back into place and reset the equipment with the system. Security was maintained with locks on the doors and ID checks on personnel allowed into the locations with terminals.
@@Toothily Nice to see someone using the word boomer correctly. I'm from the generation after the boomers and what he's talking about would've been when I was a kid in the 80s.
There is nothing wrong with consecutive IDs. If you think consecutive ids are a problem, it is actually a symptom of a much larger authentication/authorization issue
I found a security hole in a courthouse. I had Jury Duty so was going to the court house every day. I also have a fake leg that sets off metal detectors. This meant, every day I went there they had to pull me aside, scan me with a hand held device then check my leg. They did this the first three days, then on the 4th (and all the rest of the days) they just waved me through, without bothering to check. This meant, had I wished to, I could have easily gotten a gun or other weapon into the courthouse. When I called they were very interested to hear this. They thanked me and quickly fixed it.
***** This wasn't "government" This was a single individual who's ass would have been on the line had someone managed to get a weapon in. Also this was several years ago. Who knows if the same thing wouldn't happen again.
Eric Taylor Well, okay, someone working for government. Which yes, I'm definitely surprised, given that the level of incompetence demonstrated by government in IT can be staggering. (I've received passwords, which can't even be changed, from government websites, via email in plaintext. Cringe.)
@@erictaylor5462 You're thinking too zoned in, it is the government, you can never rely on security to police itself, complacency especially in repetition is human nature, the onus is on the government to monitor quality and ensure safeguards are in place to keep a constant standard of security.
The 3 halves you just mentioned caused a buffer overflow in the terribly written site. Congratulations, you now have root access to everything. :DDDDDDDDDDDDDDDD
Another pro tip: If you're working with offshore developers, always make sure they implemented features the way you requested. I've narrowly avoided silly problems like "sequential customer IDs" or "token strings containing user info" that way. You get what you pay for.
@@jacobtracey555 Nothing wrong with them, but I once had an Indian friend tell me that the best programmers there end up getting hired by large companies, leaving mostly newbies and low-skilled programmers left on upwork, freelancer, etc.
As Tom mentions in 3:34 - a word of caution, always report these kinds of bugs through a lawyer. Big companies will happily sue you or report you to police for "hacking" instead of saying thank you, even if your intentions were 100% honest and you showed them that. Has happened to more than one person I know.
I agree with you; something my uncle always says: whatever you program, try to get it to fail. Don't program it to fail, but test it and try to get it to fail so you can fix it. That's one of the reasons I like ethical hackers so much and the companies that use them; you know they won't easily fail to simple security flaws. Kudos to anyone who finds these issues and reports them urgently, safely, and carefully.
I think one of the biggest things I learnt about security from hackers when working on online games is: "Assume all data you get could be a hack". Even if it's as simple as someone's date of birth, assume it could be forged data designed to break your system. No exceptions.
The problem is that a lot of these things are done when a company has no clue about code themselves and hires someone with a fast talk, or has the 16 year old son of one of the managers do it in a weekend. And then it stays in the code when the site grows and starts attracting lots of costumers. Nobody will be asked to look at it, because "it has worked reliably in the past".
Not too long ago, someone I know gave me some advice similar to what you said at the end of the video. His words were along the lines of "When coding security as an adult, don't think logically, try to think like a kid. If you build it logically and too structured it's easy to crack. And even if it's logical and structured but still you think it's near unbreakable, most of your attackers will be kids, young people, the ones who think outside the box. It's easy for those people to find holes you never thought possible." What are your thoughts on this?
@@vincentmuyo The code should be a logical implementation of the design, but that design should be as unstructured as possible. Moonpig should have used random customer IDs, instead of taking the "logical" approach of making them consecutive, so that nobody could use their IDs to determine someone else's. They also should have generated a _different_ random ID for each token, so that a user whose token ID was compromised could get a new one by deleting the old token and signing in with their username and password.
As someone who has no horse in this particular race, I have never heard of Moonpig before as a US customer, really enjoy these computer security videos. I hope to see more of them in the future!
Another thing to remember:There is NO SUCH THING as a 100% secure system. The Germans thought this about Enigma. They paid the price. Well the other Germans paid for them but you know what I mean.
+Eric Taylor That is true but it's also irrelevant. There is no excuse for large companies not following the current best practices for information security (in the UK it's a legal requirement). What Moonpig did is analogous to a bank leaving all of your money on the sidewalk with a sticky-note saying "please don't steal this." And then they tried to insist they weren't doing anything wrong.
GenericRubbishName I never said they shouldn't attempt to secure information. It's just that locks are for keeping honest people honest. You should always be trying to improve security. Donitz only SUSPECTED Enigma had been broken so added another wheel too it even though all the experts told him it was impossible to break Enigma. Even though this step improved the Navy's performance (at least for a while) the Germans STILL didn't realize the English had broken the Enigma code. The English were reading the dispatches before the German commanders were.
Honestly, theoretically enigma seemed unbreakable but it had a major flaw. You should check out the new version of enigma which is several magnitudes better and most likely won't be able to be cracked in humanity's time.
PacManAction That doesn't even make sense. "Theoretically seemed"? It was, to the people who designed it "theoretically unbreakable" and thus seemed unbreakable, but the theory was wrong. And you're right, the Enigma concept is still used today but with the flaw, a letter can never be "substituted" with itself, but the entire process is done in computers instead of clockwork machines. The great advantage of this is the number of "wheels" you can have is unlimited. And with each added wheel the number of possible outcomes is increased by a multiple of 26. Enigma was an amazing cipher machine, but like the builders of Titanic, they were over confident in their design.
Yes, theory can be proven wrong. It's been done many times, something that works in theory doesn't always work practically. And I'd advise look up the TypeX machine.
You're innocent, but btw could you like stay in this tiny room for months until we can prove youre actually guilty. Notice i didnt include a '?' Because i'm not asking, im forcing.
@@electricspider2267 you forgot "unless you, or someone you know, is able/willing to pay several months worth of your salary all at once, because that's a completely reasonable request of someone who more than likely lives paycheck to paycheck. aren't you glad we have such a flawless and perfectly morale system"
This is a very important point, and every programmer really needs to understand this concept. I hope the message gets across and they actually fix the system.
People should stop thinking computing is a niche area and that they are doomed not to understand anything about it and realize computing is as law, it applies to everything and everyone should know about.
Tom mentions this being risky because a company might sue you. It gets worse, actually: the AT&T "hack" done/discovered by weev got him in jail - and it was a very similar type of issue to the one described in this video. I won't apologise for weev because he's a nasty piece of work and has done many horrible things, but the thing that got him sent to jail was AT&T being mad over exactly this issue.
The key difference, as I understand it, was that Weev proceeded to crawl AT&T's customer database, download a massive chunk of it and then hand it to journalists, thus compromising thousands of customers' private information for the sake of irresponsible disclosure. Paul Price created a few new accounts with his own details (or perhaps fake details) to which he held the authentication details, then proceeded to use the customer IDs for those. At no point (at least based on what I'm aware that he's said publicly!) did he obtain any information to which he was not legally entitled access. Moonpig could take the nuclear option and try for criminal charges under, say, the Computer Misuse Act (disclaimer: I am not a lawyer, solicitor, barrister, or anything like that), but there's probably enough "responsible behaviour" to easily shoot something like that down (I'm not a lawyer. Have I said that yet?). That said, if MP did go down that route, the press would have an absolute field day. "Moonpig sues guy who reported security bug! A greetings card company has sued a computer security researcher who told them about a security bug, then gave them A YEAR to fix it! More on page five!"
Yes, hacking other companies/websites, regardless of if you’re ‘just testing’ is illegal, because nobody knows what you did as well as informing them, you could’ve already sold all of the data.
Shouln't that compagny get an huge fine AND get banned from visa/mastercard due to the insecurity? I tought in the UK that such thing would result in huge fine due to the blattant insecurity... and credit cards don't like that too...
@@jintie Glad you're here to save us all the mental strain of trying to figure out what that could have possibly meant. God forbid a person accidentally omits a letter in a word. We need more people like you in the world, our stockpiles of unearned self-satisfaction are dangerously low
@@kyleedwards4903 you. shut up. no one cares about what you have to say. if you wanna be like that, delete your comment and go to some other website that cares about you.
My brother knows me so well. He showed me three of your videos and let me get on with it. One week later, I must've seen forty or more. I like what you do, Tom!
you know... years ago I found this channel and it had throwing drums and a symbol off a cliff outside shipley, trying to get on the budget news coverage, and being elected as a pirate captain I really really like that I can stumble back to it for well made educational content years later
Tom, I have to say, you are my favourite UA-camr, just ahead öfter Vsauce. Your content is funny, inspiring, smart and also very informative. I would love to see you on german TV one day and think: This man should be cloned because he is a perfect tutor for humans of all ages. Thank you for producing all of the content. Regards, Felix
As a developer I always think about safety first. My boss can sometimes argue with that time is money, I simply answer that I know my job and time doesn't respect what we do without him. The problem you described suggest me that they hire some low cost trainee to do the job. Because, even in your studies, you learn basic stuff like that. It's practically like counting on your finger...
My school used a webportal a while back, so that we can upload our homework, see what is to be done, schedules and notices. However, the ID was stored in the URL itself - and you can see the ID of others by visiting their profile. Simply replacing it I was perfectly allowed to be my teacher or school mates, giving me full insights in all conversations between them and others. I was young so I played around a bit and was also able to see the invoices and ability to delete the entire school's account, change homework, schedules, and change admin roles. Luckily I was not stupid enough/too boring to change anything major or dwell too deep, so nobody noticed. I tried to bring this to my teachers attention but they didn't understand or care and when they seemed to think I was trying to "hack it" I stopped trying. This was in ~2008.
Third party frameworks and libraries allowing virtually unhackable cookies were available in 2008. The developer had no excuse. Your school was ripped off.
I remember back in the day when I was making a control panel for a game server and ran it on my test server. It was hacked within minutes by a friend just because I didn't check the input of 1 script causing my friend to get access to admin on the server and causing mayhem. I just didn't escape anything for one field and that was my downfall. Luckily I asked a friend to test the security and it was on a test server. You should never release something on a live machine until it has been tested.
Excellent video! It baffles me every time I hear of one of those incidents that there are still PAID developers who make these mistakes. Allow authentication with nothing but an auto-incrementing user id?! I cannot even count the amount of bells that should ring. Heck, even 9-year-old me wrote better authentication systems than that (and that used a shitty md5 function applied to the non-salted password, and the token was a PHP session id transmitted over the URL query string ... good old times ...). I didn't consider it possible to find something worse than that in f***ing 2014! Thanks for spreading awareness, Tom, and kudos to the guy who reported the hole.
Outstanding Tom, you always explain these videos with just the right amount of information. Not to much and not too less. Keep up the great work, Tom! Cheers.
Zach Ashton A third party system our school used was terrible. Albiet it was just a past paper system, but it's even the idea of it. I said I'd forgot my password, expecting the standard, enter new password malarky. Nope, it sends me a plaintext version of the password.
my school got literally a plain windows 7 install from 2010 with no access to updates (somehow) and the admin password was "" (nothing, just press enter). wut
As a networking student "never trust user input" and "treat everything as malicious until proven otherwise" are the two biggest rules in setting any network or service up
Great video, Tom! I'm never gonna give up watching if you're never gonna let me down with these ;) I really like these computer security videos, although it is scary how insecure some reputable services are.
I once had the pleasure of doing some updates on an accountants website. I discovered that as well as all their clients passwords being stored in plain text, their uploaded accounts documents were stored in a publicly accessible folder with consecutive ids as file names. To be fair the company I worked for had me update the code at no cost the customer. I was amazed at how many passwords were in the format: [username]123 ...!
Code it like someone is going to break it is not only a good mantra for security purposes, it's usually a good mantra for writing application code in general.
As others have written, treat all user input as evil. Desktop web browsers have a developer mode, allowing even amateur users to edit the page they download, including hidden form values, cookies, hyperlink parameters, and form validation done in Javascript. Identify the customer from a hidden customer id in the page and a teenager will hack your application.
Their press response is basally saying "Please don't punish us for PCI violations," as many do. And no, the last four of a credit card number is not payment information. Troy Hunt wrote a good piece on this.
As a programmer, I know there's simply no excuse for this. Web application frameworks can generate large, unguessable strings of text as session ids. Even if someone manages to copy your session id, it's useless as soon as you logout or you've been idle too long. The client never sees a customer id.
There is nothing wrong with using consecutive numbers for an ID in certain circumstances. For instance if the ID is kept fully internal and no one ever finds out how your ID system works and it isn't used with vulnerable data. A far more suitable approach (And the one I use) is to use UUID's. This is a random 36 character hexadecimal value which has less than 1% chance of returning a duplicated UUID for every quintillion UUID's. There are a over 5 unodecillion combinations possible. Which is basically a lot.
From personal experience... Developers are actively told not to worry about cyber security by managers. This is bad because development teams have larger teams and more money than cyber security. Cyber security isn’t profitable in the eyes of the managers. That’s the big problem. I, as a developer, can’t add extra security.
Interesting video! I would like to know what exactly identity theft is. I get the main idea, but I, and I think many others, do not know exactly what bad things can be done(or have been done in the past to regular people). Most people I know do not really care about it.
levolta It's a shorthand for "someone impersonating you" -- best case, they order a couple of things using your credit card, your bank notices and cancels everything, no major harm done. Worst case -- and you see cases of this with relatives and friends, not unknown online attackers -- they take out some loans in your name, run off with the money and ruin your credit score.
***** I think the worst case is probably a whole lot worse than that. Granted, this is unlikely to happen to a lot of people, but I think someone who can impersonate can, in addition to ruining your credit score, also ruin the relationship with anyone you know, get you to lose your job, get you into a court for some crime you didn't commit, etc.
NNOTM As you pointed out, doing that is luckily not the goal of the average bad guy targetting insecure services. If the attacker does not hold a personal grudge against you but is instead targetting random people that he happens to be able to hijack, he is usually "only" after money and/or prestige. That being said, it can still ruin you pretty easily when your online identity is taken over, especially nowadays where so much of our life takes place online ...
Identity theft can maifest in many ways, but I was the victim about 8 years ago, and someone took £2K of loans out in my name. It too me 4 years to clear my name, and an awful lot of agro. They were however caught. All they needed was my name, address and DOB. Where they got it from (it was no one I knew) I do not know, but it could realistically be many places.
Ahh good ol pentest. As a leftie I’m very fond of this as most pens on the market smudge unless you adapt a cranes grip on the pen. Having to go through the hundreds of pens to find that one pen that both doesn’t smudge but also maintains a smooth flow of ink is crucial. 🤣
I love all the 'developer bashing' replies to this, in the real world, outside of academia and hobbyist programming you have to realise that quite possibly this was not the fault of the developer. He/she may have been screaming bloody murder about wanting to do it the right way, about how they need more time to get it right. But if it's not in the project plan, if the stakeholders don't want to pay for it or won't listen to advice then bad code goes into production. It's not fair to blame the developer when the shit hits the fan a year down the line.
You need not much more time to introduce random numbers for the user IDs. It also woundn't perfectly save, but now the hacker has do guess each ID. I thing the stakholders don't say to the developer, you have to make continus IDs.
Don't forget that project management often drives these kind of flaws, not necessarily the devs themselves. I've been on projects where I bring up that accounts can be enumerated, that Ids are visible sequentially...etc But it ALWAYS gets deferred to the "It hasn't been a problem yet, so we are not going to work on it" pile of security negligence.
This reminds me of the way that the Web based expenses system of a company that I worked for was coded. When submitting an expenses claim online it was given an ID (a sequential number) and at the end of the submission process the user was given an option to print the expenses claim form for their records. If you chose to do that the URL for the print request contained the ID as part of a querystring so by substituting another number you could (allegedly) print off any expenses claim ever submitted. When this was pointed out to the people who wrote and maintained the system it was ignored. Bearing in mind that the company was a large software house employing hundreds of programmers I have no doubt that people other than me noticed the flaw and for all I know exploited it to snoop.
You would be surprised at how terribly vulnerable poorly designed some software is in the business world, I go mad thinking about what's going to happen when our company launches its SaaS platform...
I'm making a game (badly), and I'll need a way to log in sooner or later. I'm seriously considering using Facebook or Twitter APIs, even though it's a native executable.
garouHH Fair point. Still, I need a way to ensure I'm not sending my players down a river with the security, you know? Man-in-the-middle is probably the least dangerous problem, considering the size of my playerbase (currently in the single digits).
Ratstail91 Well, you could use TLS to encrypt the connection and thus (if you manage to do certificate authentication properly) be safe at that point from MITM by anyone but intelligence agencies. If you then remember to store passwords only as salted hashes, using a still-secure hashing algorithm (I'd currently recommend SHA512), then you're pretty much in the clear. Unless you introduce some vulnerability elsewhere, of course.
Don't know if someone already mentioned this: But you would *not* send the username or userid and the password over any connection (does not matter if it is encrypted) ... you'd normally generate a hash of that password (maybe use some kind of salting too ... exchange of random numbers or whatever) over a secure (encrypted) connection ... this way the actual cleartext password needs only to be stored during generating the hash
So what is the best way to report something like this? I ran across a security vulnerability on a certain broadband provider's website entirely by accident - one that ultimately let you log in to anyone's account simply by knowing the username, without having to use the password at all. (Then once you're logged on you can of course see address, email, name, phone number, past invoices, etc...) Several emails to the company over the course of a few weeks and no fix; eventually, after a few months pass, I manage to get through on the 'phone, walk the tech support person through the steps, and now it looks like they've finally fixed the problem. (I am curious how exactly the problem came to exist, but I'm not exactly tech savvy. Maybe someone could explain it to me if I tell them the repro steps!). Did I do the right thing in keeping quiet and just privately contacting the company?
Yes. That's what the guy who found the Moonpig vulnerability did. If they fixed it after you helped them, then there's nothing more for you to do. If they haven't fixed it yet, it's time to go public with it.
I just discovered your channel yesterday and have watched through almost all your videos (because they are amazing, brilliant, unique, can't find words) and just realized I have had ADBLOCK ACTIVATED on every single video. (I was just about to ask why you didn't have ads...) I hope Jesus (but primarily you) will forgive me D:
Did you know, that if you skip ads the content creator gets no money at all, just like if you used adblock. Also content creators can't get any money from mobile views (where ads might run even for people using adblocks on PC). Yeah UA-cam ad revenue is a messed up system.
Surely they must get something from mobile views assuming the ad is watched all the way through. Mobile is now the biggest platform in terms of number of views.
Many companies also not only thank people for discovering security vulnerabilities in the systems but often also offer bounty rewards to them which could even sometimes be in the millions if the vulnerability is extremely serious! :)
When I was programming mainframes, the biggest worry was user input that might ACCIDENTALLY crash a program, and most of the input editing was aimed those kinds of errors, like someone exchanging a transaction’s effective date and their birth date on a form, then we tried to compute their age. Once the PC and the internet appeared, we also had to worry about outsiders trying to crash or misuse systems on purpose.
I'm really hoping that the term "moonpigging" becomes a term for companies that give a vague "Your security is important to us" message. Next time I get one (on twitter) I'm RT'ing it with a message "I'VE BEEN MOONPIGGED"
sxa555
Moonpigging
Mün-pig-ing
When a Company lies about internet security by making false claims of security that stated company does not have.
Tom Lake Charles
Moonpigging
/muːn/pɪɡ/ɪŋ/
verb *VULGAR SLANG • ENGLISH*
1. When a company makes a very
specific denial of a security bug
“I was moonpigged”
_synonyms:_ disgrace, dishonour,
disrespect
I hereby take the liberty of claiming this term as a valid choice of expression for the aforementioned reason.
@Kanashimi You can do that with Google Home
When someone claims to care about your data it means they want to sell it and couldn't care less about it.
Rule #1 of database design: All user input is evil. No exceptions.
What if the user input causes an exception?
@@AshtonSnapp See Rule #1.
@@AshtonSnapp I laughed way to hard at this ...
Tob ias I’m glad to know that :D you have an awesome day
Or at least treat all user input as possibly malicious.
“If they respond I’ll put it in the description”
...a half decade waiting list huh? They must be very very busy
@@ejewart1450 the patients don't last long
we're... brushing up on 10 years now?
The notion that people still don't "code like they're being attacked" astounds me. One of the first formal courses I took in programming, the lecturer made it very clear we understood the notion and importance of defensive programming.
Some of us are Old School Programmers. Way back in the day the only kind of real hacking that needed to be worried about was some student coding something that would walk a printer across the room until it pulled the plug from the wall shutting it down until you could get engineers into the facility and haul it back into place and reset the equipment with the system. Security was maintained with locks on the doors and ID checks on personnel allowed into the locations with terminals.
@@ktcd1172 okay boomer
@@Toothily Nice to see someone using the word boomer correctly. I'm from the generation after the boomers and what he's talking about would've been when I was a kid in the 80s.
@@WildBluntHickok o k b ö m e r
Or you could just start using a high level web framework, since the people designing those usually know what they are doing way better than you do
231 weeks since this video was uploaded. Tom hasn't updated the video description with moonpig's response yet...
5 years no update
Does anyone care, doesnt have to be impartial or balanced
I don't think Moonpig responded at all. I can't find any article after Moonpig's initial public response.
September 9th, 2020. Pandemmial here. Tom still doesn't get a reply.
@@IvanLDiaz Someone seeing the word pandemmial 50-100yrs onward would sound like some trend name or something.
Wish I’d mined bitcoin in 2015
I wonder how it works
Rip
I did. And i forgot about it. And now there is a bitcoin wallet somewhere on the internet with $800 000 that i can't access. RIP me.
@@lukasvavrich3349 rip you
Ik ur cousin
I cringed so hard when he said that Moonpig decided to use consecutive IDs. I think I'm finally becoming a computer nerd
Nope just a weaboo
Nah, definitely a computer nerd. I cringed too, and I am the most anti-anime person alive.
There is nothing wrong with consecutive IDs. If you think consecutive ids are a problem, it is actually a symptom of a much larger authentication/authorization issue
Same XD
Consecutive ID's aren't the problem, as long as they are only used on the backend and no one ever sees them.
I found a security hole in a courthouse. I had Jury Duty so was going to the court house every day. I also have a fake leg that sets off metal detectors. This meant, every day I went there they had to pull me aside, scan me with a hand held device then check my leg. They did this the first three days, then on the 4th (and all the rest of the days) they just waved me through, without bothering to check. This meant, had I wished to, I could have easily gotten a gun or other weapon into the courthouse.
When I called they were very interested to hear this. They thanked me and quickly fixed it.
+Eric Taylor Government showing more responsibility for security than a large corporation. I don't know if I should be surprised or something else.
*****
This wasn't "government" This was a single individual who's ass would have been on the line had someone managed to get a weapon in.
Also this was several years ago. Who knows if the same thing wouldn't happen again.
Eric Taylor
Well, okay, someone working for government. Which yes, I'm definitely surprised, given that the level of incompetence demonstrated by government in IT can be staggering. (I've received passwords, which can't even be changed, from government websites, via email in plaintext. Cringe.)
*****
I sent my sister a password in code at least.
@@erictaylor5462 You're thinking too zoned in, it is the government, you can never rely on security to police itself, complacency especially in repetition is human nature, the onus is on the government to monitor quality and ensure safeguards are in place to keep a constant standard of security.
half moon, half pig, and half bug.... no wait
The 3 halves you just mentioned caused a buffer overflow in the terribly written site.
Congratulations, you now have root access to everything. :DDDDDDDDDDDDDDDD
theLuigiFan0007
Not upvoting your comment because you will then have two different buffer overflows.
mena3976 😂👏
It's half moon and half pigbug. Better call Al Gore
Lulz. This week the same topic was revisited in South Park.
Tom scott- Defenitley not sponsored by moonpig.
*****
No such thing as bad publicity, however I doubt tom would have sold out that hard if at all.
By law, he has to state it
you need to send that grammar to moonpig
+kobie melverton we all know that now don't we
Fraktallity - Cheeky Videos ( ͡° ͜ʖ ͡°) He wouldn’t because it is illegal to not disclose that you’re sponsored.
Another pro tip: If you're working with offshore developers, always make sure they implemented features the way you requested. I've narrowly avoided silly problems like "sequential customer IDs" or "token strings containing user info" that way. You get what you pay for.
+Joshua Pearce I wonder which is harder, making sure they do it the way you want or just doing it yourself.
Robert Lozyniak It depends if doing it yourself means reading their code.
TL;DR: Don't hire Indian programmers.
@@jacobtracey555 Nothing wrong with them, but I once had an Indian friend tell me that the best programmers there end up getting hired by large companies, leaving mostly newbies and low-skilled programmers left on upwork, freelancer, etc.
@@jacobtracey555 and why Indians specifically?
As Tom mentions in 3:34 - a word of caution, always report these kinds of bugs through a lawyer. Big companies will happily sue you or report you to police for "hacking" instead of saying thank you, even if your intentions were 100% honest and you showed them that. Has happened to more than one person I know.
Companies: writing bad code
Tom: "yall are getting paid?"
not funny
@@chewtag damn... and i assume you didnt laugh? 😞
@@beenis08 was funny, did laugh
I agree with you; something my uncle always says: whatever you program, try to get it to fail. Don't program it to fail, but test it and try to get it to fail so you can fix it. That's one of the reasons I like ethical hackers so much and the companies that use them; you know they won't easily fail to simple security flaws. Kudos to anyone who finds these issues and reports them urgently, safely, and carefully.
"Code like you're being attacked", love that. :)
Great video as always!
Because you are under attack, this is the internet we are speaking of.
💗
I think one of the biggest things I learnt about security from hackers when working on online games is: "Assume all data you get could be a hack". Even if it's as simple as someone's date of birth, assume it could be forged data designed to break your system. No exceptions.
date of birth: 1901-1-1"; DROP TABLE Customers;
One could only guess what rights account number 1 was allowed to do.
kujmous Acc No 1 is probably the admin.
cheers sherlock
What about number 0? The boss?
no number 0 is the time traveller
Try -42
The problem is that a lot of these things are done when a company has no clue about code themselves and hires someone with a fast talk, or has the 16 year old son of one of the managers do it in a weekend.
And then it stays in the code when the site grows and starts attracting lots of costumers.
Nobody will be asked to look at it, because "it has worked reliably in the past".
You are a fantastic model for a responsible public figure on the internet.
I am constantly amazed how many developers incorporate security through obscurity as a strategy.
"Ah, nobody will notice this" - a very british attitude
Also rather reckless. :(
Henry W: British? Denial seems a rather large factor of the human condition. I believe anyone, anywhere could say this.
Mr Shekel: Why fuel the fire of discontent? Stop blaming all of a given nationality... for the acts of but a tiny few.
More like " a very *human* attitude"
I thought it was Indian attitude.
Not too long ago, someone I know gave me some advice similar to what you said at the end of the video. His words were along the lines of "When coding security as an adult, don't think logically, try to think like a kid. If you build it logically and too structured it's easy to crack. And even if it's logical and structured but still you think it's near unbreakable, most of your attackers will be kids, young people, the ones who think outside the box. It's easy for those people to find holes you never thought possible."
What are your thoughts on this?
... Why wouldn't you code logically? It's not going to get safer just because no one can read the code.
@@vincentmuyo The code should be a logical implementation of the design, but that design should be as unstructured as possible. Moonpig should have used random customer IDs, instead of taking the "logical" approach of making them consecutive, so that nobody could use their IDs to determine someone else's. They also should have generated a _different_ random ID for each token, so that a user whose token ID was compromised could get a new one by deleting the old token and signing in with their username and password.
I think that's a poorly articulated way to say, don't get cocky or rest on your laurels, but instead be curious and devious in testing your own code.
@@Toothily how does one rest on a yanny
@@beesree39 ...Well played.
"someones ugly baby". Telling it like it is. :D
Nice username
As someone who has no horse in this particular race, I have never heard of Moonpig before as a US customer, really enjoy these computer security videos. I hope to see more of them in the future!
Great breakdown as always. Clear, detailed, correct and complete.
Another thing to remember:There is NO SUCH THING as a 100% secure system. The Germans thought this about Enigma. They paid the price. Well the other Germans paid for them but you know what I mean.
+Eric Taylor That is true but it's also irrelevant. There is no excuse for large companies not following the current best practices for information security (in the UK it's a legal requirement). What Moonpig did is analogous to a bank leaving all of your money on the sidewalk with a sticky-note saying "please don't steal this." And then they tried to insist they weren't doing anything wrong.
GenericRubbishName
I never said they shouldn't attempt to secure information. It's just that locks are for keeping honest people honest. You should always be trying to improve security.
Donitz only SUSPECTED Enigma had been broken so added another wheel too it even though all the experts told him it was impossible to break Enigma. Even though this step improved the Navy's performance (at least for a while) the Germans STILL didn't realize the English had broken the Enigma code.
The English were reading the dispatches before the German commanders were.
Honestly, theoretically enigma seemed unbreakable but it had a major flaw. You should check out the new version of enigma which is several magnitudes better and most likely won't be able to be cracked in humanity's time.
PacManAction That doesn't even make sense. "Theoretically seemed"? It was, to the people who designed it "theoretically unbreakable" and thus seemed unbreakable, but the theory was wrong.
And you're right, the Enigma concept is still used today but with the flaw, a letter can never be "substituted" with itself, but the entire process is done in computers instead of clockwork machines.
The great advantage of this is the number of "wheels" you can have is unlimited. And with each added wheel the number of possible outcomes is increased by a multiple of 26.
Enigma was an amazing cipher machine, but like the builders of Titanic, they were over confident in their design.
Yes, theory can be proven wrong. It's been done many times, something that works in theory doesn't always work practically.
And I'd advise look up the TypeX machine.
I'm pentesting right now.
This one has no ink anymore, next.
Ok, that was a good'un, but I think you're deliberately missing the point. Wrong type of pentesting mate.
@@mastertrams cant tell if thats a r/woooosh or not
@@scepto43 r/wooosh
@Michael Darrow r/noheacknowledgeditasajokebutwantedtomakesurehewasntjoking
@@addisonchan3053 r/ihavereddit
Context:I live in America. My professor always said “this isn’t the justice system, everyone is guilty until
Proven innocent not the other way round.”
You're innocent, but btw could you like stay in this tiny room for months until we can prove youre actually guilty. Notice i didnt include a '?' Because i'm not asking, im forcing.
@@electricspider2267 you forgot "unless you, or someone you know, is able/willing to pay several months worth of your salary all at once, because that's a completely reasonable request of someone who more than likely lives paycheck to paycheck. aren't you glad we have such a flawless and perfectly morale system"
@@jacob416ahh, justice😊
good lesson in the illusion of "security through obscurity"
Yeah, it's a huge gamble to think like that. It only takes one malicious person to discover something like this, and it's only a matter of time.
This is a very important point, and every programmer really needs to understand this concept. I hope the message gets across and they actually fix the system.
I love how sarcastic tom is in these videos, given that he's usually so nice in videos
This video was sponsored by Funky Pidgeon. :P
Funky, fun and free delivery. Woohoo
We'll even throw some other customers credit card details in! WOOOHOOOO
pigeon*
f u n k y p i g e o n . c o m
@@adflyofficial i read this like in the advert 🤦♀️😂
People should stop thinking computing is a niche area and that they are doomed not to understand anything about it and realize computing is as law, it applies to everything and everyone should know about.
Inspiring passion in your monologues!
As a non-nerd, I can’t believe the degree to which I was able to follow that. Well done
Tom mentions this being risky because a company might sue you. It gets worse, actually: the AT&T "hack" done/discovered by weev got him in jail - and it was a very similar type of issue to the one described in this video. I won't apologise for weev because he's a nasty piece of work and has done many horrible things, but the thing that got him sent to jail was AT&T being mad over exactly this issue.
The key difference, as I understand it, was that Weev proceeded to crawl AT&T's customer database, download a massive chunk of it and then hand it to journalists, thus compromising thousands of customers' private information for the sake of irresponsible disclosure.
Paul Price created a few new accounts with his own details (or perhaps fake details) to which he held the authentication details, then proceeded to use the customer IDs for those. At no point (at least based on what I'm aware that he's said publicly!) did he obtain any information to which he was not legally entitled access.
Moonpig could take the nuclear option and try for criminal charges under, say, the Computer Misuse Act (disclaimer: I am not a lawyer, solicitor, barrister, or anything like that), but there's probably enough "responsible behaviour" to easily shoot something like that down (I'm not a lawyer. Have I said that yet?).
That said, if MP did go down that route, the press would have an absolute field day. "Moonpig sues guy who reported security bug! A greetings card company has sued a computer security researcher who told them about a security bug, then gave them A YEAR to fix it! More on page five!"
philpem
Yes, I suppose it's fair to say weev didn't get in trouble for merely exposing the vulnerability, I should have mentioned that.
Yes, hacking other companies/websites, regardless of if you’re ‘just testing’ is illegal, because nobody knows what you did as well as informing them, you could’ve already sold all of the data.
Not if you use tor.
Tom Scott speaking sense as usual. Thanks Tom.
Shouln't that compagny get an huge fine AND get banned from visa/mastercard due to the insecurity? I tought in the UK that such thing would result in huge fine due to the blattant insecurity... and credit cards don't like that too...
thephantom1492 the “huge fine” isn’t as big as you’d expect for a massive company, especially not back then
tought? you mean taught?
@@jintie Glad you're here to save us all the mental strain of trying to figure out what that could have possibly meant. God forbid a person accidentally omits a letter in a word. We need more people like you in the world, our stockpiles of unearned self-satisfaction are dangerously low
@@jintie thought
@@kyleedwards4903 you. shut up. no one cares about what you have to say. if you wanna be like that, delete your comment and go to some other website that cares about you.
You wouldn't guess what advert UA-cam decided to slap at the top of my recommendations
Moonpig
"When dealing with sensitive information, assume the client is compromised."
He indeed did say that.
gametime449
Yes, it's my own tweak on it. I actually came up with it before I watched this video.
My brother knows me so well. He showed me three of your videos and let me get on with it. One week later, I must've seen forty or more. I like what you do, Tom!
"how could I break this" That's how I always think
Sledge hammer, that's how you can break this.
+Josh Adams with enough force, everything can be "solved"
that's how my country thinks about economy
Even about my heart!? (sniff)
you know... years ago I found this channel and it had throwing drums and a symbol off a cliff outside shipley, trying to get on the budget news coverage, and being elected as a pirate captain
I really really like that I can stumble back to it for well made educational content years later
Tom, I have to say, you are my favourite UA-camr, just ahead öfter Vsauce. Your content is funny, inspiring, smart and also very informative. I would love to see you on german TV one day and think: This man should be cloned because he is a perfect tutor for humans of all ages.
Thank you for producing all of the content.
Regards,
Felix
*ahead of
Interesting how your profile photo is a VGA cable
Hey, just so you know, comments can be edited after you post them.
JamEngulfer
not on mobile^^
Checkername1 | Closed Oh right, fair enough
"moonpig, well they make crap"
Oh this is gonna be good
As a developer I always think about safety first. My boss can sometimes argue with that time is money, I simply answer that I know my job and time doesn't respect what we do without him.
The problem you described suggest me that they hire some low cost trainee to do the job. Because, even in your studies, you learn basic stuff like that. It's practically like counting on your finger...
Love when Tom explains protocols and love the new graphics too!
My school used a webportal a while back, so that we can upload our homework, see what is to be done, schedules and notices.
However, the ID was stored in the URL itself - and you can see the ID of others by visiting their profile. Simply replacing it I was perfectly allowed to be my teacher or school mates, giving me full insights in all conversations between them and others. I was young so I played around a bit and was also able to see the invoices and ability to delete the entire school's account, change homework, schedules, and change admin roles. Luckily I was not stupid enough/too boring to change anything major or dwell too deep, so nobody noticed. I tried to bring this to my teachers attention but they didn't understand or care and when they seemed to think I was trying to "hack it" I stopped trying. This was in ~2008.
Also as I found out, the school paid a ludicrous amount monthly to this platform.
Third party frameworks and libraries allowing virtually unhackable cookies were available in 2008. The developer had no excuse. Your school was ripped off.
@@warmachineuk Yup
god the way your teacher brushed you off pisses me off.
I remember back in the day when I was making a control panel for a game server and ran it on my test server. It was hacked within minutes by a friend just because I didn't check the input of 1 script causing my friend to get access to admin on the server and causing mayhem. I just didn't escape anything for one field and that was my downfall. Luckily I asked a friend to test the security and it was on a test server. You should never release something on a live machine until it has been tested.
Excellent video! It baffles me every time I hear of one of those incidents that there are still PAID developers who make these mistakes. Allow authentication with nothing but an auto-incrementing user id?! I cannot even count the amount of bells that should ring.
Heck, even 9-year-old me wrote better authentication systems than that (and that used a shitty md5 function applied to the non-salted password, and the token was a PHP session id transmitted over the URL query string ... good old times ...).
I didn't consider it possible to find something worse than that in f***ing 2014!
Thanks for spreading awareness, Tom, and kudos to the guy who reported the hole.
Outstanding Tom, you always explain these videos with just the right amount of information. Not to much and not too less. Keep up the great work, Tom! Cheers.
found this kinda incompetence with the reg system at school. they attempted to throw me out
Zach Ashton A third party system our school used was terrible. Albiet it was just a past paper system, but it's even the idea of it.
I said I'd forgot my password, expecting the standard, enter new password malarky. Nope, it sends me a plaintext version of the password.
You are the exception...ie different. Different scares people. Do not stop.
my school got literally a plain windows 7 install from 2010 with no access to updates (somehow) and the admin password was "" (nothing, just press enter). wut
Jack B Ouch, that site hurt my web developer soul.
Genuinely think that this is the sort of thing that goes beyond "incompetence" and into "criminal negligence".
Right? You have to go out of your way to avoid the wealth of premade password systems out there to make… this thing
"Moonpig bug" sounds like something from a Beat Poem, or William S. Burroughs novel.
Thank you for the hearty laugh.
I have never heard a better summary of moonpig! brilliant tom!
As a networking student "never trust user input" and "treat everything as malicious until proven otherwise" are the two biggest rules in setting any network or service up
Greatest opening line of a Tom Scott video in history.
Great video, Tom! I'm never gonna give up watching if you're never gonna let me down with these ;)
I really like these computer security videos, although it is scary how insecure some reputable services are.
did you just rickroll me?
@@Kitulous yes, they did.
This channel is amazing,
I've been like binge watching his videos like everyday
I once had the pleasure of doing some updates on an accountants website. I discovered that as well as all their clients passwords being stored in plain text, their uploaded accounts documents were stored in a publicly accessible folder with consecutive ids as file names. To be fair the company I worked for had me update the code at no cost the customer.
I was amazed at how many passwords were in the format: [username]123 ...!
I always remember my IT teacher looking over our code as 'A test of destruction'.
"Innocent until proven guilty" is for lawyers, not software developers.
Code it like someone is going to break it is not only a good mantra for security purposes, it's usually a good mantra for writing application code in general.
watching this after spiff's new vid
Thank you! I really enjoy your tech-y videos.
00:04 I heard that as "and they make personalized crack" and I was very confused
As others have written, treat all user input as evil. Desktop web browsers have a developer mode, allowing even amateur users to edit the page they download, including hidden form values, cookies, hyperlink parameters, and form validation done in Javascript. Identify the customer from a hidden customer id in the page and a teenager will hack your application.
For some reason, whenever I watch Tom's videos, I become thirsty.
wait me too o.o
Thirsty for knowledge
It's because he always makes mouth noises, if you know what I mean (not speaking obviously)
Me too :o
Me too ;)
Their press response is basally saying "Please don't punish us for PCI violations," as many do. And no, the last four of a credit card number is not payment information. Troy Hunt wrote a good piece on this.
Delta Airlines had a similar bug in December that allowed you use another passenger's boarding pass. Whoops.
As a programmer, I know there's simply no excuse for this. Web application frameworks can generate large, unguessable strings of text as session ids. Even if someone manages to copy your session id, it's useless as soon as you logout or you've been idle too long. The client never sees a customer id.
"...and run up 10,000 quid mining bitcoin on someone else's credit card." I love you Tom
Thanks Tom, another interesting video. I'm glad I've never registered with moon pig. I'll bear this in mind the next time I code.
There is nothing wrong with using consecutive numbers for an ID in certain circumstances. For instance if the ID is kept fully internal and no one ever finds out how your ID system works and it isn't used with vulnerable data.
A far more suitable approach (And the one I use) is to use UUID's. This is a random 36 character hexadecimal value which has less than 1% chance of returning a duplicated UUID for every quintillion UUID's. There are a over 5 unodecillion combinations possible. Which is basically a lot.
Of course, just don’t use consecutive IDs as permanent tokens to access private accounts…
5 unodecillion? Amateur. Try 2 combinations.
From personal experience... Developers are actively told not to worry about cyber security by managers. This is bad because development teams have larger teams and more money than cyber security. Cyber security isn’t profitable in the eyes of the managers. That’s the big problem. I, as a developer, can’t add extra security.
Interesting video!
I would like to know what exactly identity theft is. I get the main idea, but I, and I think many others, do not know exactly what bad things can be done(or have been done in the past to regular people). Most people I know do not really care about it.
levolta It's a shorthand for "someone impersonating you" -- best case, they order a couple of things using your credit card, your bank notices and cancels everything, no major harm done. Worst case -- and you see cases of this with relatives and friends, not unknown online attackers -- they take out some loans in your name, run off with the money and ruin your credit score.
*****
I think the worst case is probably a whole lot worse than that. Granted, this is unlikely to happen to a lot of people, but I think someone who can impersonate can, in addition to ruining your credit score, also ruin the relationship with anyone you know, get you to lose your job, get you into a court for some crime you didn't commit, etc.
NNOTM
As you pointed out, doing that is luckily not the goal of the average bad guy targetting insecure services. If the attacker does not hold a personal grudge against you but is instead targetting random people that he happens to be able to hijack, he is usually "only" after money and/or prestige.
That being said, it can still ruin you pretty easily when your online identity is taken over, especially nowadays where so much of our life takes place online ...
Identity theft can maifest in many ways, but I was the victim about 8 years ago, and someone took £2K of loans out in my name. It too me 4 years to clear my name, and an awful lot of agro. They were however caught. All they needed was my name, address and DOB. Where they got it from (it was no one I knew) I do not know, but it could realistically be many places.
The beginning is the best explanation of moonpig
Ahh good ol pentest. As a leftie I’m very fond of this as most pens on the market smudge unless you adapt a cranes grip on the pen. Having to go through the hundreds of pens to find that one pen that both doesn’t smudge but also maintains a smooth flow of ink is crucial. 🤣
goddamned liberal
Haha I got an Experian ad on this video. Loving your channel
I love all the 'developer bashing' replies to this, in the real world, outside of academia and hobbyist programming you have to realise that quite possibly this was not the fault of the developer. He/she may have been screaming bloody murder about wanting to do it the right way, about how they need more time to get it right. But if it's not in the project plan, if the stakeholders don't want to pay for it or won't listen to advice then bad code goes into production. It's not fair to blame the developer when the shit hits the fan a year down the line.
You need not much more time to introduce random numbers for the user IDs. It also woundn't perfectly save, but now the hacker has do guess each ID.
I thing the stakholders don't say to the developer, you have to make continus IDs.
Don't forget that project management often drives these kind of flaws, not necessarily the devs themselves.
I've been on projects where I bring up that accounts can be enumerated, that Ids are visible sequentially...etc But it ALWAYS gets deferred to the "It hasn't been a problem yet, so we are not going to work on it" pile of security negligence.
I see that three employees of moonpig gave you thumbs down.
This reminds me of the way that the Web based expenses system of a company that I worked for was coded.
When submitting an expenses claim online it was given an ID (a sequential number) and at the end of the submission process the user was given an option to print the expenses claim form for their records. If you chose to do that the URL for the print request contained the ID as part of a querystring so by substituting another number you could (allegedly) print off any expenses claim ever submitted.
When this was pointed out to the people who wrote and maintained the system it was ignored. Bearing in mind that the company was a large software house employing hundreds of programmers I have no doubt that people other than me noticed the flaw and for all I know exploited it to snoop.
You would be surprised at how terribly vulnerable poorly designed some software is in the business world, I go mad thinking about what's going to happen when our company launches its SaaS platform...
Saw an older Tom Scott video today. So glad you got a haircut, looking a lot better.
How do you mine bitcoins with a credit card? where do I even plug it in?
The disk drive. And don't worry if your computer doesn't have one, there are external ones you can buy.
***** (it's a joke)
***** But 2 am is the best time to read UA-cam comments!
I'd say buy a lot of hashing power from someone else and direct it to your wallet. Not sure if there's an easier way.
switching between two static cameras, love it!
I'm making a game (badly), and I'll need a way to log in sooner or later. I'm seriously considering using Facebook or Twitter APIs, even though it's a native executable.
Ratstail91 And thus shutting out everybody who doesn't buy into those sites?
garouHH Fair point. Still, I need a way to ensure I'm not sending my players down a river with the security, you know? Man-in-the-middle is probably the least dangerous problem, considering the size of my playerbase (currently in the single digits).
Ratstail91 Well, you could use TLS to encrypt the connection and thus (if you manage to do certificate authentication properly) be safe at that point from MITM by anyone but intelligence agencies. If you then remember to store passwords only as salted hashes, using a still-secure hashing algorithm (I'd currently recommend SHA512), then you're pretty much in the clear. Unless you introduce some vulnerability elsewhere, of course.
Server side, you can use a proper web framework like Ruby on Rails or Laravel to handle authentication like that.
now i'm curious what's the game you made, how is it going?
Don't know if someone already mentioned this: But you would *not* send the username or userid and the password over any connection (does not matter if it is encrypted) ... you'd normally generate a hash of that password (maybe use some kind of salting too ... exchange of random numbers or whatever) over a secure (encrypted) connection ... this way the actual cleartext password needs only to be stored during generating the hash
So what is the best way to report something like this? I ran across a security vulnerability on a certain broadband provider's website entirely by accident - one that ultimately let you log in to anyone's account simply by knowing the username, without having to use the password at all. (Then once you're logged on you can of course see address, email, name, phone number, past invoices, etc...) Several emails to the company over the course of a few weeks and no fix; eventually, after a few months pass, I manage to get through on the 'phone, walk the tech support person through the steps, and now it looks like they've finally fixed the problem. (I am curious how exactly the problem came to exist, but I'm not exactly tech savvy. Maybe someone could explain it to me if I tell them the repro steps!). Did I do the right thing in keeping quiet and just privately contacting the company?
Yes. That's what the guy who found the Moonpig vulnerability did. If they fixed it after you helped them, then there's nothing more for you to do. If they haven't fixed it yet, it's time to go public with it.
I think an even slightly better question than "How could I break this?" might be "How do I break this?"
Does this mean you can get the tester account details by trying the first few accounts? :D
most likely, assuming those accounts are still live.
those consecutive numbers sound like a certain country's only way of identifying their citizens.
I just discovered your channel yesterday and have watched through almost all your videos (because they are amazing, brilliant, unique, can't find words) and just realized I have had ADBLOCK ACTIVATED on every single video. (I was just about to ask why you didn't have ads...) I hope Jesus (but primarily you) will forgive me D:
Hopefully you have rewatched every one of his videos in the month since you posted this. WITHOUT ADBLOCK
Wild Gaming Honestly I think I have now... Not even joking...
Did you know, that if you skip ads the content creator gets no money at all, just like if you used adblock. Also content creators can't get any money from mobile views (where ads might run even for people using adblocks on PC). Yeah UA-cam ad revenue is a messed up system.
Surely they must get something from mobile views assuming the ad is watched all the way through. Mobile is now the biggest platform in terms of number of views.
That closing sentence. It gave me feels.
Was it just me that got an advert from Moonpig straight after the video? 😂
I started getting moonpig ads. I thought I was the only one
Many companies also not only thank people for discovering security vulnerabilities in the systems but often also offer bounty rewards to them which could even sometimes be in the millions if the vulnerability is extremely serious! :)
When I was programming mainframes, the biggest worry was user input that might ACCIDENTALLY crash a program, and most of the input editing was aimed those kinds of errors, like someone exchanging a transaction’s effective date and their birth date on a form, then we tried to compute their age.
Once the PC and the internet appeared, we also had to worry about outsiders trying to crash or misuse systems on purpose.
Thank Goodness for people like you and others who cares.
Remember to check through more than 14 different listings when checking for Pen-testers. The Pen-15 rule is EXTREMELY important to remember.
Tom Scott doesn't seem to like moonpig very much