

MacRumors live feed hacked during keynote - Alex3917
http://www.macrumorslive.com/

======
Jasber
Thread in 4Chan where it was "hacked": <http://www.webcitation.org/5dd9iJFVY>

Pretty interesting to watch it unfold. The first SQL the guy posts is a SQL
injection waiting to happen:

$query = "select * from sms_users where authentication='".$_GET["auth"]."'";

Edit: Changed link to use webcitation because 4chan link went down. Original
link was at: <http://zip.4chan.org/g/res/3118906.html>

~~~
tjic
The 4chan page is gone, FYI.

------
whyleyc
Looks like they had an admin update panel that was "secured" through
obfuscation:

[http://img.skitch.com/20090106-p2dughwb2yujxdutfh55ixxajn.pn...](http://img.skitch.com/20090106-p2dughwb2yujxdutfh55ixxajn.png)

~~~
Jasber
After seeing that the feed had been hijacked I poked around to see how easy it
was.

My ___first_ __guess was<http://macrumorslive.com/admin> which contained the
full source code and password hashes to everything on the site.

They must have had a strange configuration because their .php files were
showing as plain text files. This revealed their master DB username/password
along with many other ways to exploit the site.

There's a reason security through obscurity doesn't work. Unfortunately
MacRumors had to find out on what was probably their biggest day of the year.

~~~
tdavis
_There's a reason security through obscurity doesn't work_

The even worse part is, it isn't even _obscure_! The path is _/admin/_ not
_/walrus/_ or something. And why would they have plain-text php files at that
URL? It's like shooting yourself in the foot and lighting yourself on fire in
a bear pit at the same time.

------
arn
The MacRumorsLive feed was compromised as described. The cause of the security
breach is best described as "user error" due to admin files being
inadvertantly mirrored across multipe server instances with incorrect
permissions. This allowed php code to be displayed rather than executed, which
was clearly a "bad thing". Our actual admin panel is password protected, of
course.

------
andr
They took it offline, but here's a screenshot.
<http://i39.tinypic.com/apdatw.png>

May I guess unprotected admin panel, like Tumblr and Twitter?

------
mindplunge
Screenshot here: [http://richardlemon.com/2009/01/macrumorslivecom-hacked-
duri...](http://richardlemon.com/2009/01/macrumorslivecom-hacked-during-live-
coverage-of-macworld-keynote-speech/)

------
thehigherlife
[http://www.flickr.com/photos/35309500@N00/3173797487/sizes/o...](http://www.flickr.com/photos/35309500@N00/3173797487/sizes/o/)

another screen shot.

------
axod
Are they using twitter? ;)

------
Tichy
Linking to a hacked site is not so nice, to be honest. What if the hackers put
up some malware on the site?

~~~
Alex3917
The static portion of the site wasn't hacked, just the live feed. In either
event it doesn't matter since the DNS is no longer resolving.

According to #macrumorschat, some 4chan kids figured out that going to
macrumorslive.com/admin showed the source code, and that's how they figured
out how to inject their own text.

It really sucks for the MacRumors guys since this is probably their biggest ad
revenue day of the year.

------
ObieJazz
MacRumors is down for me. Here's another liveblog:
<http://blog.wired.com/gadgets/2009/01/liveblog-macwor.html>

edit: I see, MacRumors was hacked. n/m then.

------
GHFigs
PSA: /g/ is the worst board on 4chan. Neither funny nor interesting, and with
no entertaining trolls. It is also more obsessed with Apple than even
MacRumors itself.

------
arthurk
The whole source code was visible by appending "/admin/" to the url. You could
then read through the PHP files and gain access to the backend.

------
pstinnett
Commenter on TechCrunch says it was due to MacRumors leaving the control panel
for the live feed open (not password protected).

~~~
chalkers
Well the control panel was and but the source code wasn't and the .htpasswd
wasn't.

------
briansmith
_NSFW_

~~~
palish
If your boss walks in and fires you because of that, then you probably didn't
want to work there anyway.

~~~
pstinnett
Towards the end of it I think the hijackers were posting fairly disgusting
images (in the vein of 4chan). Could've been what the NSFW tag was.

~~~
palish
Ah, gotcha. From the screenshot, I didn't realize they were able to inject
images as well as text.

~~~
pstinnett
I didn't either- luckily!! Just read about it on TechCrunch.

------
alaskamiller
On a tangent: Gdgt's liveblog (their first this year but it's run by the folks
that sorta started the liveblog trend) was the worst in that it kept dying.
Meanwhile Engadget had the best coverage and Gizmodo the fastest. VentureBeat
had the most innovative by integrating FriendFeed.

~~~
reggplant
They were using the Mosso cloud too and the problems seemed to happen at the
Mosso end which is rather disappointing.

~~~
alaskamiller
should have gotten a sponsorship from mediatemple

