As it is fixed now I guess I can share this piece of "amazing Security" at @tmobileat :
Show this thread
Three of their subdomains (blog/kids/newsroom) were running wordpress blogs, the code managed via a git repository. You could download that git repo, you can test that by appending .git/config to the URL.
-
-
(for more context on this issue see this post by
@internetwache https://en.internetwache.org/dont-publicly-expose-git-or-how-we-downloaded-your-websites-sourcecode-an-analysis-of-alexas-1m-28-07-2015/ … and their tool to scrape git repos https://github.com/internetwache/GitTools … )Show this thread -
thus I was able to download their repo. The wordpress config (wp-config.php) was in the repository. That config file contains the database/mysql username/password.
Show this thread -
But the database was running on localhost - so it's not a big deal. Well, except if they have a phpmyadmin interface open to the public. Which they had.
Show this thread -
if you surf to the raw IP address of those hosts you get to see a directory listing - with one directory, which brings you to the phpmyadmin. So I could've logged in there and changed the affected webpages at will.
Show this thread
End of conversation
New conversation -
-
-
Wait. Public git?
-
That's really not a big deal, unless you're stupid enough to store passwords in there, which they were...
-
But even blog content in git? Makes it even easier to clone website and harvest private info, see for ex:https://mobile.nytimes.com/2017/09/20/business/equifax-fake-website.html …
End of conversation
New conversation -
Loading seems to be taking a while.
Twitter may be over capacity or experiencing a momentary hiccup. Try again or visit Twitter Status for more information.