--

[hacker1001101001]

OP should have atleast notified OgNasty before injecting any scripts.

Is that an objective standard?  A hacker's opinion?  Or maybe just mutual respect and consideration? 

Nothing of that sort, it's just called ethics.

[1614847927]

1614847927

[1614847927]

1614847927

[1614847927]

1614847927

[Harlot]

The requested person was informed before disclosing it here.

That's not responsible disclosure.

How much time did you give him to fix any vulnerabilities before publicly disclose them?

OP should have atleast notified OgNasty before injecting any scripts.

Is that an objective standard?  A hacker's opinion?  Or maybe just mutual respect and consideration? 

OP could have done damage if he wanted - or sold the info.  He did the moral thing, and there is nothing illegal about it.

Without the approval of the owner of the site and the hoster, it definitely is illegal. Depending on the country, maybe "just" a gray area.
You can't just start doing pentests on any website/service you encounter.

bob123 is right on this one, OP just by trying to alter anything on nastfans' website without any kind of permission to the owner can be considered as hacking in itself. It doesn't matter if OP has good intentions or not, someone else's property (nastyfan website) was altered/tested by someone who doesn't have any kind of permission too. Posting this earlier without any kind of replies back from either OGnasty or nonnakip is also a bad move made in his part frankly the OP didn't do any kind of good intention by posting this right away.

[Vod]

You can't just start doing pentests on any website/service you encounter.

Of course you can.  Justice takes "intent" into account. It's not against the law to break into a house unless you intend to do something illegal.

If he doesn't want visitors to his website, he should take it offline. 

[Steamtyme]

It's not against the law to break into a house unless you intend to do something illegal.

That's absurd. The law is literally "Breaking and Entering" which would be broken as they did so with the intent to commit an offence. Trespassing would fit this as well, if we want to use silly comparisons for this matter. Wouldn't it have made more sense to look at Computer Crime Laws to attempt to defend OP.

I read this a few days ago, and first thought was probably should have posted this well after contacting OG about it. Maybe even posting in conjunction. Should have probably stated you were going to perform test before going ahead and doing so. I don't know shit about website design and security so I can't speak to much else here apart from general courtesies and socially acceptable practices.

[Vod]

It's not against the law to break into a house unless you intend to do something illegal.

That's absurd. The law is literally "Breaking and Entering" which would be broken as they did so with the intent to commit an offence.

Your legal system would be a mess.  "I didn't B&E, the window was left open!" 

I'll give you some examples:
- enter a house for protection/shelter/aid or other emergency - not a crime
- enter a house you thought was abandoned to smoke weed - trespassing
- go into an understaffed hospital ward to gather supplies - B&E

The "break" is not literal.   

[khaled0111]

@Vod, I don't get your logic here.
What could be the intent behind pentesting and scanning a website without the consent of its owner!
and why did he disclose the vulnerability publicly before it got patched!
Maybe OP's intentionts are good, but by doing this, isn't he just making things easier for hackers?

[OgNasty]

The Minted Seat Analyzer is a 3rd party site run by naypalm. This was a poor extortion attempt targeting the wrong person.

[Vod]

This is a 3rd party site run by naypalm and has no functionality nor is it on the NastyFans server. It’s been broken for a long time. Maybe this will motivate naypalm to fix it. Nobody should be concerned by this. Just an idiot wasting his time and money on a poor attempt to extort me. The NastyFans server isn’t vulnerable.

Bottom line. No damage was done. This isn’t even the NastyFans server. This was a poor extortion attempt. The owner was not properly contacted before this was disclosed. This was very clearly a nefarious act, and a piss poor one at that.

No one extorted you,you idiot.    

Edit:  Actually, I don't know that. OG - who contacted you about this and demanded money to not post it? Post their PMs and support your claim of extortion.   What I see is a new hacker trying to prove himself, and doing the right thing by not exploiting what he found.  I know nothing of him, but if I were in his shoes, I wouldn't respect a person who doesn't respect others. 

Warning to future ethical hackers:   Do not contact OG about vulnerabilities - he will accuse you of a crime.   

[nonnakip]

I just want to bring attention to that website https://nastyfans.org/ and https://analyzer.nastyfans.org/ are leaking security information and are vulnerable to script injection.

Leaking security information? Your plain text connection performs the leaking not the server. If nastyfans members go always to nastyfans.org to sign in then they will use TLS and the credentials will be secure.

I maintain nastyfans.org and have responsibility for the security on it.

analyzer.nastyfans.org is a different server and is maintains by naypalm. Users must always be careful of phishing attacks. This is not the first time his server has vulnerabilities. Perhaps it is unwise to allow analyzer.nastyfans.org to point to naypalm's server. Users can be misleading to think it is the nastyfans server.

[bob123]

What I see is a new hacker trying to prove himself, and doing the right thing by not exploiting what he found.

He did exploit the vulnerability by creating the PoC popup.
There is not much more you can do with a reflected XSS on such a site. That's basically it.

Warning to future ethical hackers:   Do not contact OG about vulnerabilities - he will accuse you of a crime.   

An ethical hacker would not start to pentest a site/server without the permission of the owner and hoster.
It's more of a script kiddy move. And a pretty dumb one.

[Boris007]

There is not much more you can do with a reflected XSS on such a site. That's basically it.

Well we can do, It depends.
How about transferring to p*rnhub.com or to your bitcointalk.org profile page instead of popup??

[TECSHARE]

These attacks on OGNasty are getting increasingly desperate. As others have pointed out, it is well established in the hacking community (white and grey hat) that you first notify the owners of a site/code before making a public release. This was unethical, and IMO intended as an attack against OGNasty.

[Boris007]

These attacks on OGNasty are getting increasingly desperate. As others have pointed out, it is well established in the hacking community (white and grey hat) that you first notify the owners of a site/code before making a public release. This was unethical, and IMO intended as an attack against OGNasty.

I have no intention to attack someone personally.

[OgNasty]

An ethical hacker would not start to pentest a site/server without the permission of the owner and hoster.
It's more of a script kiddy move. And a pretty dumb one.

Yes, a script kiddy move to do it, and an attention whore move to try and publicize it as anything else. People should also take note of the merit sources who merited the behavior as they clearly showed bad judgement in doing so.

[Vod]

An ethical hacker would not start to pentest a site/server without the permission of the owner and hoster.
It's more of a script kiddy move. And a pretty dumb one.

Yes, a script kiddy move to do it, and an attention whore move to try and publicize it as anything else. People should also take note of the merit sources who merited the behavior as they clearly showed bad judgement in doing so.

So, who extorted you, you liar?   

And what happened to the 2,600 BTC you owed your depositors when you collapsed your ponzi?

Stop playing the victim. 

[Steamtyme]

People should also take note of the merit sources who merited the behavior as they clearly showed bad judgement in doing so.

Not really. It's a well layed out and written OP. The subject was thorough and complete. These are the types of things that will get a post merited regardless of someone agreeing with or disagreeing with the idea.

Now if they are adding them to trust lists then that's where you would start to question someones judgment.

[ChuckBuck]

It's all explained in great detail here.

That's a decent explanation but I prefer this one. You have to listen to at least 40 seconds of it to get its full implication.

Not only for 40 seconds, I had difficulty hearing. I mean I can write, but my listening skills are very bad, because I rarely communicate with people through this language, listening to a song is really harder than normal communication. I had to listen to so many times  But anyway, I like the way you guys put a song here 

I'll give you some examples:
- enter a house for protection/shelter/aid or other emergency - not a crime
- enter a house you thought was abandoned to smoke weed - trespassing
- go into an understaffed hospital ward to gather supplies - B&E

The "break" is not literal.   

I will call it "dodge the law"  Here, we jokingly say that learning to dodge law  The law always has a loophole, if you understand it well, you can take advantage of it 

[dragonvslinux]

This is a 3rd party site run by naypalm and has no functionality nor is it on the NastyFans server. It’s been broken for a long time. Maybe this will motivate naypalm to fix it. Nobody should be concerned by this. Just an idiot wasting his time and money on a poor attempt to extort me. The NastyFans server isn’t vulnerable.

Bottom line. No damage was done. This isn’t even the NastyFans server. This was a poor extortion attempt. The owner was not properly contacted before this was disclosed. This was very clearly a nefarious act, and a piss poor one at that.

By the sound of it, either the user contacted you to disclose the vulnerability which you ignored as insignificant (I'll take your word for it) and this is what you considered extortion, or they didn't contact you in advance in an attempt to notify the owner and therefore there was no extortion. I'm a bit confused as to what actually occurred here, as many are claiming that they didn't attempt to notify the owner, whereas you appear to be claiming otherwise. You surely can't extort someone if you've already publicly published the findings.

OP, Boris007: did you contact OG before posting this, in an attempt to notify the owner? If this was the case, and Og ignored it, then they had the right to publish their findings. If the server isn't vulnerable anyway, there is no offence in the actions of the OP.  It's not breaking & entering if the house is already broken and the doors wide open

The "break" is not literal.  

This is true:

Burglary, also called breaking and entering and sometimes housebreaking, is illegally entering a building or other areas to do something illegal there.

Therefore there would be no damage caused in entry and nothing to steal or break, so just a bit of civil trespassing?
If this site was functional and there was vulnerability to user info, this would be a different story.


Edit: Just noticed the OP claiming:

The requested person was informed before disclosing it here.

End of story.

[OgNasty]

I am not the owner of the server. This doesn’t effect the NastyFans server. It effects the Uberbills server operated by naypalm and I don’t believe contact was properly made with him prior to any disclosure.

[hacker1001101001]

Edit: Just noticed the OP claiming:

The requested person was informed before disclosing it here.

End of story.

Not yet !

Who was the person OP contacted with? Did he even knew the current owner of the website he is testing on and his contact info ? What is the use of making the vulnerability public ?

I don't think anyone/owner of the any website would just avoid acting on the vulnerability when reported. It's even unacceptable that someone denied to act on it once informed.