Hacker News new | past | comments | ask | show | jobs | submit login

Source code of the worm: https://hastebin.com/gubegaqusi.xml

Pretty much what you'd expect.

Edit: This isn't the full source code. There was another PHP file visible on their website that unfortunately isn't visible anymore.

Heh, they're using Google Analytics to track its spread. That's a nice touch.

It's possible to send any data we want to their Analytics tracker... perhaps we send them some spam?

Where is ilovevitaly when you need him?!

"No fair! You got your privacy invasion in my privacy invasion!"

That made my day.

On a brief skim, it doesn't seem to do much besides spread itself. Am I missing something, or was it just for lulz? Or maybe a grey hat trying to prove a point?

That's all this code does, but The author then has a backdoor to all the victim's email through the oauth app.

Except that Google can kill those auths.

It's really a question of how malicious the author was- if they set it up to download everything attached to the account as soon as it connected, it could still cause a lot of damage.

Even worst: The hacker could have taken a list of lets say the top 1000 banking (or any type of online service) websites accross the globe. The moment the hacker get access to your gmail account, he initiatite a password recovery request on each of those 1000 websites, get the password reset link from the email, reset the password, delete the email. he could now have access to any other online account you have that had its recovery email set to your gmail account.

Safe to assume that google could track such activity for affected accounts and notify if that was widespread?

(or is that somehow against the 'only our anonymized ad display program can scan your email' privacy policy?)

The most recent statement from google said that "no other data was accessed" so interpret that as you will

It redirects to a couple different PHP pages as well, so there could have been more malicious code there

Sending everything to this mailinator address which oddly seems to be empty:


Maybe Mailinator has purged the box and is rejecting mail from it. Good on them.

Mailinator purged it early on yeah.

Man, I wonder how wider this would have spread if they spent a teensy bit more time to make e.g. the To address less suspicious.

What context was that code expected to be executed in?

Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | Legal | Apply to YC | Contact