Password requirements 😅

I love the maximum password length set to 6 chars 😖 okay I understand if you don't want someone pasting in kilobytes of characters which then goes through a hash algo... but 6!?? are you intentionally trying to make your security suck?

And perhaps the best account recovery scheme I've ever seen:

I forget which site it was, but it wasn't a small one.. iirc this was in ~2008

-----
> shit forgot my password
> go to reset page

> enter username:
> rozzzly

> Hi rozzly, let's recover your account! if you can answer your secure account recovery question, we'll send you an email (rozzzly@what.ever) so you can get back in!

the sign up / edit profile page had text under the email fields, "we will keep this private". so clear design flaw, but not too terrible. exploiting this would let you find any users supposedly private email.

now the security question.. oh laws

> what is your birthdate?
which is public on every profile. doesn't even require you to login. to make things even better registration did not require you to set up birthday so I found quite accounts a few accounts just had the Unix epoch set for theirs

... that was the secure question 😲

just wait it's gets better

> open email
> see new one, "recover your password"
> Hello rozzzly,
> You gave the correct security question answer.
> Our server has decrypted your secure password
> your password is: { my password in plaintext }
...you've got to be fucking kidding me.. so they're not hashing the passwords. At best they're "encrypting it" with their "secure encryption method" probably base64, something tells me rot13 😒
so I write the admin an email explaining how his shit is swiss cheese.
to be continued..

I was a bit snide in that email, but not nearly as much of a dick as I should have. Used language like, "this is a very poor design decision" and "you're putting users at risk" You know, nothing hostile, but not too friendly either. Seriously looking to help though I detailed the issues in depth. Even wrote a pseudo code script which dumped the emails of all the users (there was a page with all the users listed in)

Used the email exploit to get the main admin's email. sent that to him. 2 days and no reply.

Okay hmmm lets do a whois on the domain... of course the guys full name, street address, etc comes up..
...😆 this guy man.. good lord
anyway that whois included what was apparently his main email. Sent the same thing to that email, a few hours later, I visit that site:

> page is white
> "fuck off you gay hacker!"
this was in a h1 styled with {
font-size:72px; color: red; text-align:center; }

and then 6s delayed redirect with a http meta tag to... meatspin.com
im not gay, I never posted anything on that site either for/against LGBT... so idk that came from, but something tells me he was probably repressing something 😂
I laughed, stupid fuck. closed tab. never tried to contact him back.

like almost a year later, I open that site out of curiosity. Still being ip filtered, but now the html is mangle.. of course

more curious now, I open site in tor. My account wasn't banned, logged in, okay did he change any thing? logout --> reset my password. same stupid question, birthdate still public on the profile. but atleast the email address wasn't shown any more... went to check my email

And to my surprise, no plaintext password! a link....

somesite.com/reset_userPass.php?userid=7

no tokens... and the user id is in the url of user profiles. seriously? lets see... found his uid, put it in the url.. entered the new password and it reset it. fucking idiot, in that email I had included a dozen different articles/tuts about basic security and mostly authentication/secure recovery process.

Login directs me to front page. and now the navbar has a new link.. to "admin"
> no please this is too easy 😪

(he had written his own CMS if you couldn't tell by now)
in the admin "panel" there was a place to edit the "templates" which was a <textarea> containing the raw php sauce of the header, nav, footer, etc..
Realizing I could easily root the box with RFI, I started to feel bad. but couldn't resist adding one line...

header('Location: meatspin.com')

he must have either given up, or (more likely from my impression of him) been unable view/write his source files because his little template editor would just redirect him to meatspin. He could have easily used ftp and notepad.exe but... either that didn't occur to him or he was a little distracted by that rhythmic circular motion

And that is why you don't dismiss vuln disclosures. I still feel bad because that guy obviously put a lot of effort into his site, I didn't expect him to not fix such a simple thing. oh well, we live and we learn, right round baby right round

@rozzzly great story 😂

@rozzzly you have my cookie